Ransomware Is Not a Malware Problem
By Domenic DiNatale
By the time the ransomware deploys, the attack is already over.
The encryption — the part that's visible, that generates the ransom note, that triggers the crisis — is the final act in a sequence that typically began weeks or months earlier. Entry happened. Lateral movement happened. Privilege escalation happened. The attacker surveyed the environment, identified the most critical systems, positioned the payload, and waited for the optimal moment. The encryption is the cashing-out, not the intrusion.
This matters because most organizational responses to ransomware are focused on the wrong stage. Endpoint detection and response tools are tuned to catch the encryption event. Backups are designed to recover from it. Insurance policies are written to cover it. These responses treat ransomware as if it were a self-contained malware problem — a piece of malicious code that arrived and did damage. Remove the code and the problem is solved.
But the code didn't get there on its own. It got there because the architecture allowed it to.
The Attack Chain
Ransomware attacks follow a consistent pattern, and each stage exploits a different architectural failure.
Entry typically happens through one of a small number of vectors: phishing that succeeds in capturing credentials or executing code, exploitation of a public-facing vulnerability, or purchase of access from an initial access broker who previously compromised the target through similar means. Each of these entry paths represents a failure — of training, of patch management, of access control on external-facing systems.
But entry alone rarely enables full-scale ransomware deployment. Modern environments are complex enough that an attacker landing on a workstation or a single service doesn't immediately have access to everything worth encrypting. Lateral movement is required — the attacker needs to move from the initial foothold to systems where they can cause maximum damage.
Lateral movement works because most internal networks extend implicit trust to internal traffic. Services accept connections from other internal services without strong authentication. Credentials captured from one system are valid on many others. The flat network structure that was convenient for developers and administrators is equally convenient for attackers. Each lateral movement step exploits a trust assumption that was built into the architecture.
Privilege escalation — gaining administrative or domain-level access — happens through misconfigurations, vulnerable services, or credential reuse. Domain administrator accounts that are used for daily operations. Service accounts with more privileges than they need. Password reuse between administrative and non-administrative accounts. These aren't exotic vulnerabilities; they're common configurations that exist because they're convenient and the consequences aren't visible until an attacker is exploiting them.
The encryption stage, when it finally happens, reflects the access that was accumulated in the preceding stages. If the attacker achieved domain admin, encryption can span the entire domain. If lateral movement reached backup systems, those can be destroyed before encryption begins, eliminating the recovery option organizations were counting on. The blast radius of the encryption event is a direct function of how far the attack chain was allowed to progress.
Why Malware Removal Doesn't Fix It
The case for treating ransomware as a malware problem — something you can solve with better endpoint security — is superficially appealing. If you can detect and block the encryption payload, you prevent the damage. This is why endpoint detection and response is a large and growing market, and why it genuinely adds value. Catching ransomware before encryption completes is better than not catching it.
But detection at the encryption stage means the attack chain has already run almost to completion. The attacker has been in your environment. They've moved laterally. They've escalated privileges. They've surveyed your systems and identified your most critical data. All of that happened on the path to the encryption event that the endpoint tool caught. Even if the encryption is stopped, the attacker has knowledge of your environment, has demonstrated the ability to achieve broad access, and can attempt the attack again through a different path.
More fundamentally, removing the malware doesn't remove the conditions that allowed it to propagate. The flat network is still flat. The over-privileged accounts still have excess privileges. The backup systems are still on the same network as production. The vulnerable credentials are still in use. The architectural conditions that turned a single compromised endpoint into a potential total-environment disaster are unchanged.
Recovering from a ransomware incident without addressing those underlying conditions is recovery in name only. It's returning to the same architectural posture that was compromised, hoping the attacker doesn't return — or a different attacker doesn't notice.
Root Cause Analysis
The root cause of successful ransomware attacks is almost never "the attacker had better malware than we had defenses." It's architectural. The attack chain was able to proceed from entry to domain-level access because the architecture didn't interrupt it.
Each stage of the chain corresponds to an architectural property. Entry works because external-facing systems aren't hardened or patch management is delayed. Lateral movement works because internal systems extend implicit trust. Privilege escalation works because administrative credentials are broadly valid and insufficiently protected. The encryption stage works at scale because backup systems are reachable from the systems being encrypted.
Address those properties — through network segmentation, least-privilege access, privileged access management, offline or isolated backups — and ransomware becomes a significantly smaller problem. Not zero, but bounded. An attacker who achieves initial access in a segmented environment with properly constrained credentials can encrypt one system or one network segment. That's an incident. It's not a disaster.
The organizations that handle ransomware events as contained incidents rather than existential crises share a common architectural feature: they made it structurally hard for an attacker to move from entry to broad access. The malware is the same. The architecture is different.
That's where the problem lives. That's where the fix has to start.
This post is part of a series on security as an architectural problem. Read the full series on the Intellitech blog.