Subscribe to the Non-Human & AI Identity Journal
Home FAQ Threats, Abuse & Incident Response How do organisations know whether a ransomware lull…
Threats, Abuse & Incident Response

How do organisations know whether a ransomware lull is real or just dormancy?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 14, 2026 Domain: Threats, Abuse & Incident Response

Look at the underlying access patterns, not the public statements. If the same social engineering tactics, credential abuse routes, and over-privileged accounts remain available, the threat has not gone away. Stronger indicators are reduced helpdesk exposure, faster revocation, and fewer reusable credentials in circulation.

Why This Matters for Security Teams

A ransomware lull is only meaningful if the attacker’s access routes have been broken, not merely if the noise has stopped. Dormancy can look like quiet, but it often means operators are preserving access, waiting for a better window, or shifting to lower-profile credential abuse. Current guidance suggests teams should judge the lull by changes in identity exposure, helpdesk trust, and revocation speed, not by executive reassurance or the absence of encryption events.

This is especially true when social engineering and stolen credentials are still viable. The MGM Resorts Breach 2023 — Scattered Spider and the Caesars Entertainment Breach 2023 — Scattered Spider both show how identity abuse can outlast the initial incident. ENISA also notes that ransomware activity frequently adapts rather than disappears, which makes lull-versus-dormancy analysis an identity question as much as a malware question. In practice, many security teams discover the lull was only temporary after a second wave of account abuse has already started.

How It Works in Practice

Organisations should treat a ransomware lull as a verification problem. The first step is to map whether the original intrusion path still exists: phished credentials, remote access portals, over-privileged service accounts, exposed secrets, and helpdesk processes that can still be socially engineered. If those conditions remain, the adversary may simply be waiting.

Practically, teams should look for evidence that the attacker’s operating model has been broken:

  • Reused credentials have been revoked, rotated, and removed from active circulation.
  • Privileged accounts are now subject to just-in-time access and stronger approval.
  • Helpdesk workflows require step-up verification for password resets and MFA changes.
  • Service accounts and API keys are monitored as closely as human admins.
  • Authentication logs show fewer successful reuse attempts from old footholds.

The NHI Management Group’s research on the Ultimate Guide to NHIs is relevant here because it shows how persistent secrets and excessive privileges keep an environment exposed long after the headline incident is over. One useful indicator is whether secrets can still be found outside managed stores, since that creates reusable access even when visible attacker activity drops. Ongoing threat reporting in the ENISA Threat Landscape reinforces that adversaries often recycle access and shift tactics instead of abandoning an operation.

These controls tend to break down in environments with shared admin accounts, weak offboarding, or outsourced helpdesk functions because a quiet period masks the same credential paths that were abused before.

Common Variations and Edge Cases

Tighter verification often increases operational friction, requiring organisations to balance fast restoration of service against the need to prove access is no longer reusable. That tradeoff is especially hard during incident recovery, when business teams want normal operations back quickly.

There is no universal standard for deciding exactly when a lull becomes true dormancy. Best practice is evolving, but most mature programs distinguish between tactical silence and strategic disengagement by asking three questions: Has the attacker lost its easiest identity path? Are high-risk credentials still reusable? Has the organisation reduced the number of places where a new foothold can be created?

Edge cases matter. A lull after public extortion may simply reflect a shift to data theft, partner compromise, or delayed re-entry through dormant service accounts. Similarly, environments with many NHIs can look calm while still being broadly exposed, because machine identities are often less visible than human accounts. The practical test is not whether the ransomware payload is active, but whether the preconditions for the next access event still exist.

Where organisations rely on legacy access models, shared credentials, or delayed revocation workflows, the distinction between lull and dormancy becomes unreliable.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10, OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Credential rotation is central to proving attacker access has been cut off.
OWASP Agentic AI Top 10A2Autonomous abuse patterns can persist if agent-like tool access remains available.
CSA MAESTROGOV-02Governance must prove compromised access paths are removed, not presumed idle.
NIST AI RMFGOVERNRisk governance should distinguish visible quiet from unresolved access exposure.
NIST CSF 2.0PR.AC-4Least-privilege access is required to shrink the routes reused during ransomware lulls.

Continuously validate identity, privilege, and workflow controls before declaring an incident contained.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org