TL;DR: Ransomware has shifted from simple file encryption to industrialized business disruption, with attackers now stealing data, escalating privileges, and timing impact to operational choke points, according to DigiCert. That makes identity, PKI, and resilience planning part of the core defense model, not adjacent controls.
NHIMG editorial — based on content published by DigiCert: Ransomware: From Rising Threat to Business Crisis
Questions worth separating out
Q: How should security teams reduce ransomware impact before encryption starts?
A: Security teams should focus on the authenticated phase, not just the payload.
Q: Why do compliant organisations still get hit hard by ransomware?
A: Compliance sets a baseline, but ransomware operators only need one repeatable weakness to create major damage.
Q: What breaks when ransomware targets identity and trust systems?
A: Business continuity breaks first.
Practitioner guidance
- Harden privileged access paths Remove avoidable standing privilege from remote access, admin accounts, and service identities that could be abused once attackers gain a foothold.
- Map operational dependencies by identity Identify which human, NHI, and service identities gate claims, payments, pharmacy, certificate, and software update workflows.
- Include certificate and code-signing recovery in ransomware plans Test certificate renewal, code-signing trust, and crypto-agility procedures under incident conditions so a ransomware event does not become a trust outage.
What's in the full article
DigiCert's full blog covers the operational detail this post intentionally leaves for the source:
- A deeper explanation of how ransomware operators use identity systems, certificate trust, and software update mechanisms during extortion campaigns.
- More context on why PKI modernisation and crypto-agility are framed as resilience controls rather than back-office maintenance.
- The article's discussion of AI-driven ransomware tactics and why polymorphic behaviour complicates static detection.
- The business continuity angle for healthcare and other tightly coupled sectors, including why operational dependency changes response priorities.
👉 Read DigiCert's analysis of ransomware, identity, and business continuity →
Ransomware, identity, and resilience: what IAM teams need to know?
Explore further
Ransomware has become an identity problem as much as a malware problem. The article shows that attackers now depend on authenticated access, privilege escalation, and internal knowledge before they disrupt operations. That means the most useful control questions are no longer limited to malware prevention but to who and what can authenticate into the environment, and under what conditions. Practitioners should treat identity telemetry as ransomware telemetry.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- A separate finding from the same research shows that only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs.
A question worth separating out:
Q: Who is accountable when ransomware exposes gaps in identity governance?
A: Accountability sits across security, IAM, infrastructure, and business continuity teams because the failure usually spans access, detection, and recovery. Frameworks such as the NIST Cybersecurity Framework 2.0 help assign ownership across those functions, but the organisation still needs one clear decision path for privilege, trust, and recovery.
👉 Read our full editorial: Ransomware now targets identity, trust, and business continuity