Ransomware, identity, and resilience: what IAM teams need to know

TL;DR: Ransomware has shifted from simple file encryption to industrialized business disruption, with attackers now stealing data, escalating privileges, and timing impact to operational choke points, according to DigiCert. That makes identity, PKI, and resilience planning part of the core defense model, not adjacent controls.

NHIMG editorial — based on content published by DigiCert: Ransomware: From Rising Threat to Business Crisis

Questions worth separating out

Q: How should security teams reduce ransomware impact before encryption starts?

A: Security teams should focus on the authenticated phase, not just the payload.

Q: Why do compliant organisations still get hit hard by ransomware?

A: Compliance sets a baseline, but ransomware operators only need one repeatable weakness to create major damage.

Q: What breaks when ransomware targets identity and trust systems?

A: Business continuity breaks first.

Practitioner guidance

• Harden privileged access paths Remove avoidable standing privilege from remote access, admin accounts, and service identities that could be abused once attackers gain a foothold.
• Map operational dependencies by identity Identify which human, NHI, and service identities gate claims, payments, pharmacy, certificate, and software update workflows.
• Include certificate and code-signing recovery in ransomware plans Test certificate renewal, code-signing trust, and crypto-agility procedures under incident conditions so a ransomware event does not become a trust outage.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

• A deeper explanation of how ransomware operators use identity systems, certificate trust, and software update mechanisms during extortion campaigns.
• More context on why PKI modernisation and crypto-agility are framed as resilience controls rather than back-office maintenance.
• The article's discussion of AI-driven ransomware tactics and why polymorphic behaviour complicates static detection.
• The business continuity angle for healthcare and other tightly coupled sectors, including why operational dependency changes response priorities.

👉 Read DigiCert's analysis of ransomware, identity, and business continuity →

Ransomware, identity, and resilience: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →