TL;DR: Ransomware now drives operational downtime by design, with the article citing 49% growth in active groups in 2025, average losses above $5 million, and attack chains that move from initial access to escalation and lateral movement before systems fail, according to Zero Networks. Containment, not detection alone, is the decisive control when stolen credentials and fast-moving intrusions can reach critical infrastructure in seconds.
NHIMG editorial — based on content published by Zero Networks: How to Stop Ransomware Before It Disrupts Operations
By the numbers:
- Active ransomware groups surged 49% year over year in 2025.
- 86% of cyber incidents now cause operational downtime, reputational damage, or both.
Questions worth separating out
Q: What breaks when ransomware can reuse legitimate credentials inside the network?
A: Perimeter controls lose much of their value because the attacker is no longer forcing entry, only authenticating.
Q: Why do standing privileges make ransomware incidents harder to contain?
A: Standing privileges give attackers a persistent route into high-value systems if they steal or hijack an admin account.
Q: How can security teams tell whether containment controls are actually working?
A: Look at the reachable blast radius for each identity and endpoint.
Practitioner guidance
- Map ransomware paths to critical operational systems Identify which identities can reach scheduling, production, backup, recovery, and financial systems, then remove every path that is not operationally required.
- Enforce identity-driven microsegmentation Treat segmentation as an access control problem, not only a network design issue.
- Replace standing privilege with JIT elevation Remove always-on administrative rights from human admins and service accounts where feasible, then require time-bound access for protocols such as RDP, SMB, WinRM, and SSH.
What's in the full article
Zero Networks' full post covers the operational detail this post intentionally leaves for the source:
- Step-by-step explanation of how microsegmentation and identity-based controls are combined to block lateral movement in production environments.
- Protocol-level JIT MFA details for RDP, SMB, WinRM, and SSH access enforcement.
- Examples of deterministic policy creation and enforcement in dynamic environments with shifting workloads.
- Operational guidance on aligning containment controls to business continuity systems rather than generic perimeter defense.
👉 Read Zero Networks' analysis of how to stop ransomware before it disrupts operations →
Ransomware lateral movement and containment: what teams must change?
Explore further
Operational disruption is the real ransomware endgame, not encryption alone. The article is right to frame the problem around continuity systems such as scheduling, production, and financial processing. Once those systems are reachable, the incident stops being a security event and becomes a business interruption with regulatory, legal, and customer impact. For IAM and PAM teams, the practical conclusion is that control design has to be measured by blast-radius reduction, not just by detection speed.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
A question worth separating out:
Q: Who is accountable when ransomware spreads because access was too broad?
A: Accountability is shared across IAM, PAM, network, and operations teams because the failure is architectural, not isolated to one tool. Governance should identify which team owns identity scope, which owns segmentation, and which verifies that critical systems cannot be reached from ordinary endpoints.
👉 Read our full editorial: Ransomware containment depends on blocking lateral movement