Ransomware

Ransomware is malicious software that encrypts victims’ files or systems, rendering them inaccessible until a ransom is paid (often in cryptocurrency). Modern “double extortion” variants also exfiltrate data, threatening to leak it if payment is not made. Common infection vectors include phishing, exposed RDP ports, or unpatched vulnerabilities. Once inside, ransomware often attempts to move laterally and gain admin privileges to encrypt or exfiltrate as much data as possible.

How does it affect identity security?
Credential theft is a major enabler for ransomware spread. If attackers get domain admin rights, they can deploy ransomware enterprise-wide, crippling business operations. By segmenting privileges, using MFA, and limiting lateral movement, organizations reduce the scope of a ransomware attack. Strong identity security also helps detect abnormal admin tasks (like mass file encryption). Attackers frequently combine social engineering or exploit credential reuse to bypass defenses.

Ransomware can target cloud-hosted data—encrypted S3 buckets or locked-down Office 365 files. Cloud backups are often a last defense if local files are encrypted. IAM plays a critical role by restricting the accounts that can delete or overwrite backups. If a compromised user can also wipe cloud snapshots, recovery options dwindle. Zero trust approaches force continuous re-auth and anomaly detection, spotting large-scale encryption attempts. Cloud providers often recommend separate, offline backup accounts with no direct access from standard user sessions.

Case study

Wannacry spread via an SMB exploit and used stolen domain credentials to propagate within networks. Dozens of hospitals in the UK were hit, halting patient care. Better identity segmentation and patching could have slowed or stopped it.

‍