Ransomware and Lateral Movement Protection: A Comprehensive Blueprint

Ransomware ranks as a top threat for 92% of industries, with more than three-quarters of security leaders citing ransomware as their top cybersecurity concern. Despite this, ransomware attacks have exploded by more than 100% over the past year, signaling that security teams are struggling to ward off increasingly sophisticated attackers – even though they’re acutely aware of ransomware’s accelerating risks.  

All too often, security strategies don’t address a key ingredient in every attacker’s recipe for destruction: lateral movement. Nine out of ten organizations are currently exposed to at least one attack path, and 80% have paths exposing critical assets. In fact, lateral movement is core to the success of any ransomware attack, yet security leaders rate lateral movement attacks lowest among significant cybersecurity concerns, overlooking the fact that lateral movement often serves as a catalyst for other threats.  

To effectively thwart rising ransomware threats, organizations need to shift away from reactive defenses and prioritize proactive controls that block lateral movement to isolate breaches automatically. We’ll outline everything you need to know about ransomware in the context of the modern threat landscape, clarify how it connects to lateral movement, and share actionable ransomware protection strategies.  

What Is Ransomware?  

Ransomware is a type of malicious code that encrypts files or systems, rendering them inaccessible until a ransom is paid. Attackers often demand payment in cryptocurrencies to make tracing more difficult.  

Ransomware’s double-extortion model makes it particularly dangerous: in addition to locking files, many ransomware strains exfiltrate data, threatening to release or sell it if the ransom isn’t paid.  

Ransomware vs. Ransomware Attack in Cybersecurity   

The terms “ransomware” and “ransomware attack” are often used interchangeably, but it’s important to distinguish between ransomware as malicious code and a ransomware attack, which is the event where it’s deployed.  

• Ransomware is the malware itself   
• A ransomware attack is a coordinated campaign by adversaries to infiltrate a network and deploy ransomware

How Ransomware Attacks Work  

Ransomware attacks take many forms. Techniques and monetization strategies range from encryption and scareware to distributed denial of service (DDoS) extortion and ransomware-as-a-service (RaaS). Still, ransomware attacks often follow a standard flow.  

Stages of a Ransomware Attack  

While there are various types of ransomware, it most commonly works by encrypting files or systems after a period of clandestine movement through the network; these attacks typically occur in six stages:  

1. Reconnaissance: Attackers study the network, seeking vulnerabilities.  
2. Infection: They gain initial access through tactics like phishing or compromised credentials.  
3. Escalation: Attackers move laterally through the network, escalating privileges to reach sensitive data and systems.  
4. Scanning: The malware identifies targets for encryption.  
5. Encryption: After identifying targets, attackers deploy ransomware to encrypt files or systems, often deleting backups in parallel.  
6. Ransom: Attackers demand payment; many times, these demands are joined by threats of data exposure. 

Understanding the general flow of a ransomware attack, it’s easy to see that blocking ransomware early – before attackers reach sensitive systems – is critical. To stop a ransomware attack in its tracks, security teams must lock down unauthorized lateral movement.  

Why Ransomware Attacks Fail without Lateral Movement  

The key to mitigating ransomware isn’t blocking the initial infection – it’s containing the spread. Ransomware attacks need network access to propagate; when cyber criminals lose the ability to move laterally, ransomware is left stranded on the asset it first hit, stuck in a digital quarantine zone.  

For example, if an employee’s laptop is infected with ransomware via a phishing email but the network is properly segmented to block lateral movement, the ransomware can’t spread to file servers, encrypt network shares, or reach critical databases – instead, the malware remains isolated.  

Without lateral movement, ransomware attacks remain minor IT incidents rather than becoming majorly disruptive data breaches.  

Understanding Lateral Movement in Cybersecurity: How Breaches Become Disasters  

Lateral movement is the tactic attackers use to move “sideways” (East-West) across the network after gaining initial access, in search of sensitive data and assets. While lateral movement is commonly leveraged during ransomware attacks, it’s also key to expanding the blast radius of any breach.  

A security breach refers to any unauthorized access to data, systems, networks, or services where an intruder bypasses security measures to reach protected assets; an incident only escalates to a data breach when sensitive information is exposed or stolen – typically, this requires lateral movement.   

In other words, blocking lateral movement is critical for proactively thwarting ransomware and other damaging cyberattacks. In fact, lateral movement is so pervasive that the MITRE ATT&CK framework classifies it as one of the core tactics used in modern cyberattacks. A hacker may gain access to the network from phishing or compromised credentials, but lateral movement techniques enable adversaries to turn an initial breach into an expansive attack.   

Common Lateral Movement Techniques  

Cybercriminals are more numerous and well-resourced than ever, so while threats constantly evolve, many of today’s most common lateral movement techniques fall into categories like:  

• Session hijacking: Attackers take control of existing remote services sessions  
• Remote services: Attackers use valid accounts to log into services that accept remote connections  
• Alternate authentication: Attackers bypass normal controls through materials like password hashes, access tokens, and Kerberos tickets   

Outside of these groups, other lateral movement techniques can prove equally destructive. And in fact, attackers rarely rely on a single tactic – instead, they string them together to stay undetected and maintain momentum.  

Some of the specific tactics attackers most often rely on for lateral movement span:  

• Living off the Land (LotL): Using built-in utilities like PowerShell, PsExec, or Windows Management Instrumentation (WMI), attackers blend in with regular network traffic while moving laterally through the network.  
• Pass-the-Hash (PtH) and Pass-the-Ticket (PtT): In a PtH attack, adversaries use a hashed version of a password to authenticate without decrypting it; PtT attacks use stolen Kerberos tickets to impersonate users and access systems without needing passwords.  
• Kerberoasting: Attackers request service tickets for accounts with access to a particular service and attempt to crack them offline – because this tactic doesn’t generate unusual network activity, it’s stealthier than a PtT attack.  
• Credential Dumping: After extracting usernames, password hashes, or plain-text credentials from memory, local files, or the registry, attackers use the credentials in other lateral movement techniques, such as PtH attacks or RDP login attempts. 
• Remote Desktop Protocol (RDP) and Windows Remote Management (WinRM): Two examples of remote services exploitation, RDP and WinRM attacks use stolen credentials to remotely access systems and perform actions as the logged-on user.  
• SSH Hijacking: Attackers hijack active SSH sessions to gain the original user’s access and remotely execute commands on a system and move laterally while avoiding detection.  

Lateral Movement Detection: An Incomplete Strategy 

Many organizations rely on tools like endpoint detection and response (EDR) systems or security information and event management (SIEM) platforms to detect lateral movement. While detection is important, it’s an incomplete strategy for preventing lateral movement.  

Most detection tools are inherently reactive – they alert you to malicious behavior that’s already underway. But attackers typically begin moving laterally within 30 minutes of initial compromise, and they’re only getting faster. In 2024, the fastest recorded breakout time – how long it takes an adversary to start moving laterally across the network – was just 51 seconds.  

Meanwhile, detection timelines aren’t accelerating at the same rate. The mean time to identify (MTTI) a breach last year was 194 days – only three days faster than in 2018.  

In addition to speed, stealth is another hurdle for detection-based security strategies. As mentioned, many lateral movement techniques subvert traditional detection tools. For example, utilities, tunnelers, and remote control and administration tools are observed in 57% of ransomware attacks – that means legitimate tools like PsExec, SSH, RDP, and WinRM are shielding attackers from view in the majority of ransomware attacks. And in fact, attackers have become so skilled at avoiding detection that in nearly 50% of ransomware attacks, adversaries alert organizations to their intrusion rather than waiting to be discovered.  

Rather than over-relying on detection with solutions that cannot effectively block lateral movement, security teams need to proactively address the underlying vulnerabilities that enable attackers to succeed.  

How to Prevent Ransomware and Block Lateral Movement: Fixing Top Network Security Weaknesses  

Ransomware attacks follow a consistent pattern: gain initial access, move laterally to compromise additional assets, escalate privileges, and spread the ransomware sample across the network. So, which weaknesses do attackers consistently exploit to successfully move laterally and escalate privileges?  

From excessive permissions and flat network architecture to vulnerable remote access pathways and beyond, these blind spots give attackers the freedom to wreak havoc.  

Overprivileged Service Accounts 

Service accounts often operate in the background, unmanaged and overlooked as they’re difficult to monitor and complex to secure. Machine identities like service accounts make up over 70% of networked identities today, yet only 2.6% of workload identity permissions are actually used, and 51% of workload identities are completely inactive, making them a treasure trove for ransomware groups. 

How to fix it: 

• Audit service accounts and restrict access to required assets and logon types 
• Use identity-based segmentation to prevent excessive permissions 
• Apply MFA to privileged logons and protect every privileged port 

Flat Network Architecture 

Flat networks lacking internal controls remain a problem for organizations that have only prioritized perimeter-based defenses – and they make lateral movement a breeze. When one compromised asset can communicate with everything else, cyber criminals face little or no resistance expanding the attack surface after gaining initial access.  

How to fix it: 

• Implement microsegmentation to isolate every asset and secure East-West traffic 
• Enforce least privilege across the network 
• Prioritize a layered defense that combines NGFWs with network segmentation 

Third-Party and Vendor Connection Vulnerabilities 

Whether through VPNs, remote access tools, or cloud services, third-party and remote employee connections often introduce inconsistent security policies.  

Aaron Steinke, Head of Infrastructure at La Trobe Financial, noted, “Historically, we found that you often end up in a scenario where people have more network access when they're on the VPN because you can't categorize them and classify them well enough.” 

It’s difficult to effectively secure remote connections without disrupting operations or to verify vendors’ cyber hygiene, and attackers know it. Because of this, remote connections with weak security are a frequently targeted entry point into networks. 

How to fix it: 

• Apply granular controls to limit third-party access 
• Consolidate vendor access into a single solution to simplify security 
• Enforce MFA for every third-party logon 

Insecure Remote Management Protocols 

Remote services are some of attackers’ favorite tools for lateral movement as they look to expand their blast radius and escalate privileges. Using session hijacking or remote services exploitation techniques, attackers often scan for open RDP, SSH, or WinRM ports and use stolen credentials to access systems.  

When these protocols aren’t properly secured, they roll out a proverbial welcome mat for ransomware. 

How to fix it: 

• Close all privileged ports by default 
• Apply just-in-time MFA at the network layer to dynamically unlock access 
• Limit movement with identity access controls that deny by default 

Static Rules and Manual Policy Management 

Most firewalls and legacy segmentation tools rely on static rule sets and manual upkeep. In modern environments, those rules are outdated almost as soon as they're written, leaving gaps that ransomware groups can exploit to move laterally.  

How to fix it: 

• Automatically enforce adaptive policies based on continuous behavioral learning 
• Implement holistic segmentation to create a Zero Trust architecture with resilient security built in 

Proactive Network Security Strategies: Building a Self-Defending Architecture  

Even as investments in security and risk management have steadily risen in recent years, today’s cyber attackers are smarter and stealthier than ever. With more than 60 ransomware groups currently operating, some of the most active gangs have increased their victims by more than 200% in the last year.  

As threats proliferate and evolve to outsmart traditional security strategies, organizations must embrace a proactive approach to network security where lateral movement is automatically restricted, so breaches are contained by default.  

According to Dr. Chase Cunningham, aka Dr. Zero Trust, anyone still hoping to avoid compromise entirely needs to shift their mindset: “Some folks are still not accepting that a breach is an inevitability and they're not applying controls to limit the scope of the breach … that's where we get a lot of this wrong.”  

To effectively secure modern networks and prevent ransomware attacks, organizations need a robust, multi-layered approach that protects every axis of network traffic:  

• North-South Protection: Block exploits at network perimeters  
• East-West Protection: Lock down lateral movement  
• Up-Down Protection: Dynamically limit traffic between network layers 

This three-dimensional approach to network security means weaving together a range of modern strategies:  

Reinforce Perimeters with Next-Gen Firewalls and ZTNA 

Next-gen firewalls (NGFWs) deliver strong perimeter defense and threat prevention, while Zero Trust Network Access (ZTNA) solutions strengthen remote access protection. These approaches make it harder for attackers to gain initial network access, particularly when layered with internal segmentation and identity controls.  

Implement Granular Network Segmentation   

Holistic microsegmentation allows organizations to contain threats before they spread, limiting the blast radius of any breach to the individual compromised asset. In other words, microsegmentation locks down lateral movement to the tightest possible degree, enabling only what’s operationally necessary.  

Enforce Adaptive Identity Controls  

Every user and system should have only the necessary access – nothing more. Excessive permissions help ransomware groups and other attackers pivot through the network undetected, reaching deeper layers and more sensitive systems. The same fine-grained approach used to segment assets should be applied to identities with tailored, dynamic access policies to ensure Up-Down movement is protected without disrupting normal operations.  

Apply MFA Everywhere   

Applying MFA to privileged ports, protocols, and accounts makes it much harder for attackers to exploit password weaknesses or use stolen credentials to move laterally. With network-layer MFA, organizations can even secure databases, OT systems, legacy applications, and other technology that has traditionally been difficult to protect with MFA.

Stop Lateral Movement and Prevent Ransomware in Real Time with Zero Networks  

Zero Networks makes lateral movement a thing of the past, stopping ransomware attacks in real time with automated microsegmentation that’s radically simple to deploy and powerful in action. Unlike the legacy solutions with complex, never-ending implementations, Zero goes live in days – not years – and helps security teams level up defenses without adding operational complexity.  

Here’s how Zero enables a multi-dimensional approach to ransomware prevention in record time:  

• With automated asset tagging, grouping, and policy creation and management, Zero generates deterministic, fine-grained rules for assets and identities – no complex configurations required  
• Our infrastructure-agnostic solution orchestrates native firewalls to secure every asset and integrate seamlessly into existing environments – without the manual complexity of traditional solutions   
• Just-in-time MFA applied at the network layer keeps privileged ports closed until verified, shutting down credential abuse and privilege escalation   
• With adaptive policy enforcement, Zero dynamically maintains granular controls that evolve alongside your network   

It’s easier than ever to build a proactive, layered defense that halts lateral movement and leaves attackers stranded – take a self-guided product tour to learn how Zero can help protect your organization from ransomware and other sophisticated threats.