Skip to content
Back to Writing
identity-security ransomware zero-trust enterprise-passkeys

Why Ransomware Is Becoming an Identity Problem

Byte Smith · · 8 min read

Identity-based ransomware is changing how security teams need to think about initial access. The old mental model focused heavily on malware delivery, exploit chains, and obvious payload execution. Those still matter, but the more urgent pattern is simpler: attackers increasingly get in by abusing identity, stealing sessions, hijacking trust, and then using legitimate access to move toward extortion, disruption, or ransomware deployment.

The data supports this shift. CrowdStrike’s 2024 Global Threat Report found that 75% of attacks to gain initial access were malware-free — relying instead on identity abuse, social engineering, and hands-on-keyboard techniques. Microsoft’s Digital Defense Report 2024 reported 600 million identity attacks per day targeting Microsoft customers. And IBM’s Cost of a Data Breach Report 2024 identified stolen credentials as the most common initial attack vector, taking an average of 292 days to identify and contain.

That means if attackers are logging in instead of loudly breaking in, backup strategy and endpoint controls are only part of the answer. Security teams also need stronger identity protection, tighter SaaS controls, faster token response, and better operational visibility into who is authenticating, from where, and with what level of trust.

How ransomware tactics are changing

Ransomware has not stopped being destructive. What is changing is the path attackers use to reach that destructive stage.

For years, defenders were trained to watch for suspicious binaries, macro payloads, exploit kits, and noisy malware behavior. Those signals still show up, but modern attacks are increasingly optimized for speed, scale, and lower effort. With three-quarters of initial access attempts now malware-free according to CrowdStrike, the economics have shifted. If stealing a valid identity gives an operator easier access than building or buying a more complex intrusion path, many of them will choose the identity route.

That is why ransomware preparedness now has to start much earlier in the kill chain. The important question is no longer just, “Can we stop malware?” It is also:

  • Can we detect stolen or replayed sessions?
  • Can we block risky sign-ins before privilege is abused?
  • Can we prevent help-desk and admin workflow manipulation?
  • Can we contain identity-driven lateral movement fast enough to stop deployment?

This is one reason identity teams, cloud teams, and incident response teams need to work more closely than they did a few years ago. Ransomware defense is increasingly tied to access control, SaaS governance, and post-authentication monitoring, not just traditional endpoint detection.

Why identity attacks beat noisy malware

Identity attacks are attractive because they often create less friction for the attacker and less immediate noise for the defender.

When an attacker uses a real session, a valid token, or a socially engineered account recovery path, the activity can blend into normal enterprise behavior. That is much different from detonating malware that immediately triggers endpoint alarms or network signatures.

There are a few reasons this works so well.

Legitimate access looks legitimate

If an attacker has a live session token or valid credentials, they may not need to trigger the same defenses that catch classic malware. In many environments, the initial activity looks like normal user access. IBM found that breaches originating from stolen credentials take 292 days on average to identify and contain — longer than almost any other attack vector — precisely because the activity blends in.

Cloud and SaaS environments reward identity control

As more business systems live behind identity providers and SaaS integrations, account access becomes the shortest path to real business impact. An attacker who controls the right identity may be able to reach email, admin portals, file stores, customer systems, and workflow tools without ever dropping obvious malware first.

Post-authentication abuse is efficient

Once access is established, attackers can move toward persistence, privilege escalation, data theft, and destructive action using the same trusted systems your organization already depends on.

That is why identity-based ransomware is not just a niche variation. It is a signal that enterprise attack paths are following the logic of efficiency. Attackers use the routes that produce the best operational return with the least resistance.

Stolen sessions, phishing, and help-desk abuse

Security leaders need to pay special attention to the ways identity abuse actually happens in the wild. Three patterns matter more than ever.

Stolen sessions

Session theft is one of the clearest examples of why “MFA enabled” is no longer enough by itself. If an attacker steals a live session token or cookie, they may bypass the login step entirely and move straight into an already authenticated session.

That is what makes token theft so dangerous. It targets the part of the workflow that many organizations still monitor less aggressively than login attempts.

AiTM phishing and session hijacking

Adversary-in-the-middle phishing campaigns do more than collect passwords. They can relay authentication in real time and capture the resulting session or token material. This turns phishing from a credential theft problem into a post-authentication compromise problem.

That distinction matters operationally. A user can do “the right thing” by using MFA and still be compromised if the attacker successfully hijacks the resulting session.

Help-desk and support workflow abuse

Identity attacks are not limited to browser-based phishing. Attackers also abuse people and process. Help desks, outsourced support, and recovery workflows are now part of the attack surface. The Scattered Spider group (tracked by Microsoft as Octo Tempest) demonstrated this at scale — using social engineering of help desks and IT staff to gain initial access, then escalating to ransomware deployment across major enterprise targets.

This is one reason mature ransomware defense now includes security controls around support operations and identity lifecycle processes, not just endpoint agents and email filters.

How to update your ransomware defenses

If ransomware is increasingly identity-driven, your defensive priorities need to move accordingly.

A stronger modern strategy includes:

  • Protecting identities as critical infrastructure
  • Monitoring sign-ins and sessions, not just endpoints
  • Reducing privilege and standing access
  • Hardening SaaS integrations and admin workflows
  • Testing credential and token revocation as part of incident response
  • Separating backup resilience from identity resilience

Too many organizations still plan ransomware response around file encryption and restore operations alone. That is necessary, but incomplete. If an attacker still controls admin identities, cloud sessions, or privileged SaaS access, restoring systems does not remove the real risk.

A better operating model is to treat identity as part of your ransomware containment layer. In practice, that means:

  1. identify high-impact identities first
  2. enforce stronger authentication and registration controls
  3. restrict privileged access paths
  4. watch for suspicious session behavior
  5. rehearse account lockout, token revocation, and emergency access workflows
  6. validate that business continuity plans still work during identity disruption

This is where architectural discipline starts to matter. Organizations with stronger Zero Trust architecture practices are in a better position because they already assume that identity, device, network, and app trust must be evaluated continuously instead of granted once and forgotten.

Where phishing-resistant MFA fits

Phishing-resistant MFA — including passkeys and FIDO-based authenticators — is one of the clearest control improvements for reducing credential phishing and lower-friction account takeover paths. But it is not the entire answer. Session theft and bearer token abuse still matter after authentication succeeds, which is why the most effective approach layers phishing-resistant authentication with conditional access, token protections, and least privilege.

If your organization is planning a move to passkeys, our enterprise passkeys rollout guide covers the rollout models, recovery design, and adoption metrics in detail. The key point for ransomware defense is that passkey rollouts should be seen as part of containment strategy, not just authentication modernization.

Metrics security leaders should watch

If this is a real priority shift, your metrics should reflect it. Security leaders need visibility into identity exposure, not just malware volume.

The most useful measures often include:

Identity protection coverage

Track how many users, admins, contractors, and service owners are protected by phishing-resistant MFA and stronger conditional access rules.

Privileged identity reduction

Measure how much standing privilege still exists, how many admin roles are always on, and how many emergency access paths are under-tested or weakly governed.

Session and token risk signals

Watch for suspicious token use, impossible travel after authentication, risky device changes, repeated session invalidations, and unusual consent or registration events.

Help-desk and recovery abuse indicators

Monitor password reset requests, MFA reset patterns, recovery exceptions, and support escalations tied to privileged or sensitive accounts.

Time to revoke trust

In a real incident, how long does it take to disable accounts, revoke sessions, rotate secrets, block malicious OAuth grants, and remove access across cloud and SaaS systems? That number matters a lot more now than it used to.

Cross-team readiness

Ransomware is not only a security operations problem anymore. Identity, cloud, endpoint, and support teams all affect the outcome. Measure whether they can actually execute together under pressure.

It also helps to tie this back to related control areas. Identity-heavy ransomware defense intersects with API security for SaaS and integration-heavy environments, especially when third-party apps and tokens expand the blast radius of a compromised account.

Run an identity exposure review before your next ransomware tabletop

The biggest takeaway for 2026 is simple: ransomware defense has to start before malware shows up. If attackers are increasingly getting leverage through stolen sessions, phishing, social engineering, and privileged identity abuse, then identity is no longer a supporting control. It is part of the main battlefield.

Security teams that adapt fastest will stop treating ransomware as only an endpoint and backup problem. They will treat it as an identity, access, and operational resilience problem too.

A practical next step is to run an identity exposure review before your next ransomware tabletop. Map which identities matter most, which workflows are easiest to abuse, which sessions are hardest to detect, and which recovery paths are too trusting. Then test whether your team can revoke access, contain the blast radius, and keep the business running under pressure.

Get the free Identity Exposure Review Worksheet →

For a stronger foundation, pair that review with our enterprise passkeys rollout guide, our Zero Trust architecture guide, and our API security guide for AI apps and modern SaaS integrations.