Insights, Cyber Security, Ransomware

Understanding lateral movement in ransomware: risks and solutions

22nd December 2025
London building with trees outside

Modern ransomware operators do not just land on one machine and pull the trigger. Attackers gain initial access, then move silently through the environment, escalating privileges and positioning themselves to reach critical systems before deploying ransomware or stealing data.

If you are under attack or think something is wrong, contact Zensec immediately so our team can help you contain the threat and protect your business.

This sideways traversal is called the lateral movement process. It is the phase that turns a single compromised laptop into a full business outage, affecting multiple systems. In many ransomware cases, attackers complete the entire chain, from initial access to full deployment in under 24 hours.

For UK organisations, understanding and disrupting these lateral movement risks is one of the most effective ways to blunt the impact of ransomware.

Introduction to lateral movement

In network security, lateral movement is the process attackers use to spread from their initial foothold to the rest of the environment.

This process allows adversaries to move beyond their initial entry point and access sensitive data and critical systems that hold operational or strategic value. Hopping between hosts, accounts and applications in search of high-value assets.

In the context of ransomware, lateral movement allows threat actors to:

  • Discover file servers, domain controllers, backup systems and SaaS tenants.
  • Escalate privileges and gain access to administrative accounts
  • Identify sensitive data such as customer records and intellectual property
  • Stage and deploy ransomware across multiple systems to maximise disruption and leverage.

Without lateral movement, many ransomware intrusions would be contained to a single endpoint. When attackers successfully begin moving laterally, they can encrypt dozens or hundreds of systems simultaneously and combine encryption with data exfiltration for double or triple extortion.

Understanding how this works in practice is essential for building a realistic defence.

Lateral movement techniques used in ransomware campaigns

Attackers have a large toolkit, and most of it uses the same protocols and tools your administrators rely on every day.

Abuse of remote access protocols and network services

Attackers frequently rely on legitimate network services to move laterally. The Remote Desktop Protocol (RDP) is a primary target.

  • Compromised or brute-forced RDP accounts give direct interactive access to servers and desktops.
  • Legitimate SSH keys or hijacked SSH sessions can be reused to jump between Linux or network devices.
  • Misconfigured admin tools make it easier to access critical data.

In many high-impact incidents, exposed RDP or poorly secured remote access is both the initial access and the primary lateral movement method.

Credential theft and privilege escalation

Credential harvesting facilitates privilege escalation, which allows attackers to expand access rapidly:

  • Dumping LSASS or using tools like Mimikatz to harvest passwords and hashes.
  • Abusing Active Directory to discover privileged groups and admin accounts.
  • Performing techniques like DCSync to request password hashes for any user in the domain.

The goal is to obtain domain admin or equivalent privileges so they can disable security controls, push ransomware through management tools and access backups.

“Living off the land” tools

Rather than deploying noisy malware at every step, attackers prefer to blend into normal operations:

  • Using PowerShell, PsExec, WMI and built-in Windows operating system utilities for remote execution.
  • Leveraging existing management platforms, such as remote monitoring tools, configuration managers or backup software.

Because these tools are used legitimately by IT teams, malicious activity can easily hide in plain sight without effective behavioural detection and lateral movement prevention strategies.

Exploiting operating system and application vulnerabilities

Unpatched systems remain a reliable way to move laterally:

  • Exploiting server-side vulnerabilities in file servers, application servers, operating systems, or appliances.
  • Targeting legacy protocols, outdated VPN appliances and unmaintained systems.

This is precisely why national guidance emphasises timely patching and hardening as a core defence against ransomware and lateral movement.

Mapping lateral paths

Before moving, sophisticated groups map lateral movement paths by:

  • Enumerating subnets, domain trusts and file shares.
  • Identifying where domain controllers, hypervisors, ERP systems and critical databases live.

This reconnaissance phase enables them to determine the fastest routes to access high-value assets.

Stages of a lateral movement attack

Every incident is different, but most ransomware operations follow a similar pattern.

1. Initial access

Attackers gain network access through:

  • Phishing emails carrying commodity malware or credential harvesters.
  • Stolen VPN or remote access credentials bought from initial access brokers.
  • Exploitation of unpatched internet-facing systems.

At this point, they typically have user-level access on a single endpoint or exposed service.

2. Privilege escalation and discovery

Next, they focus on:

  • Harvesting credentials from memory, browsers and password vaults.
  • Exploiting local privilege escalation vulnerabilities.
  • Discovering domain structure, servers, shares and cloud tenants.

This stage is about turning a low-privilege compromise into meaningful control.

3. Lateral movement and pre-attack positioning

With better credentials in hand, the attacker:

  • Use lateral movement techniques to move between servers, domain controllers and management systems.
  • Disables security solutions such as endpoint detection tools where possible.
  • Locates and either deletes or encrypts backups.

In parallel, they often exfiltrate sensitive data for extortion.

Only when they are confident they control enough of the estate do they launch the ransomware across as many systems as possible. Some groups now complete this full lifecycle in less than a day, leaving defenders a tiny window to intervene.

Detecting lateral movement

Lateral movement detection differs from spotting commodity malware. You are looking for subtle behavioural changes rather than a specific signature.

Signs of lateral movement often include unusual RDP or SSH activity, remote execution from machines that do not typically perform administrative tasks, and authentication patterns that fall outside normal behaviour, such as a single account logging into many servers in rapid succession or from unexpected locations. Large, sudden spikes in file access from endpoints that rarely touch sensitive shares can also be early warnings.

Because some of these behaviours occur legitimately, baselining is essential. The goal is not to generate an alert for every remote session, but to detect patterns that meaningfully deviate from business norms.

Key indicators of lateral movement include:

  • New or unusual RDP, SSH or remote management sessions between internal hosts.
  • Non-admin machines initiating administrative protocols, for example, using PsExec or remote PowerShell to multiple servers.
  • Abnormal authentication patterns, such as a single account authenticating to many servers in quick succession or logins from unusual locations.
  • Abnormal network traffic between internal systems
  • Sudden spikes in file access from endpoints that normally do not touch sensitive shares.

Because many of these behaviours also occur legitimately, tuning and baselining are essential. The goal is not to alert on every remote session, but to quickly spot the ones that deviate from standard business patterns.

Preventing lateral movement attacks

Prevention is about making it hard and noisy for attackers to move once they are inside. The UK NCSC guidance on preventing lateral movement emphasises robust identity controls, segmentation and monitoring, rather than relying solely on a perimeter.

Strong identity and access control

  • Enforce multi-factor authentication (MFA) for remote access and administrator accounts.
  • Apply the principle of least privilege so users and service accounts have only the access they genuinely need.
  • Use privileged access management and separate admin workstations to keep high-value credentials off general-purpose endpoints.

Network segmentation and zero trust

  • Actively stop lateral movement through segmentation.
  • Break up flat networks so a compromise in one segment does not give easy access to everything else.
  • Adopt zero-trust principles, verifying user identity, device health and context before granting access to applications or data.

Hardening, patching, and endpoint controls

  • Prioritise patching of internet-facing systems, VPNs and remote access gateways.
  • Secure operating systems
  • Disable or tightly control legacy protocols like SMBv1 and unnecessary remote management services.

Monitoring and response preparedness

  • Security teams can centralise logs from EDR, firewalls, VPNs, Active Directory and cloud platforms into a SIEM or XDR platform.
  • Define and rehearse an incident response plan that specifically covers ransomware and lateral movement.

Critically, prevention controls should be tested regularly. Realistic exercises and ransomware-focused penetration testing services can identify lateral movement paths, weak admin practices and overlooked exposure before an attacker does.

The role of intrusion detection systems

Intrusion Detection Systems (IDSs) remain valuable, particularly when combined with modern endpoint technologies. Network IDS can surface unusual internal traffic or suspicious protocol use, while host-based IDS monitors for changes to critical system files and processes.

Traditional IDS solutions can struggle because attackers often use legitimate protocols. Their greatest value comes when IDS alerts feed into a central analytics platform enriched with endpoint, identity and cloud telemetry. Correlation and behavioural analysis enable differentiation between genuine lateral movement and routine administrative activity.

Cloud environments and lateral movement

Cloud-native tools further complicate detection; attackers can use storage utilities or tunnelling services to exfiltrate data or move laterally without deploying traditional malware. Conditional access policies, just-in-time privileged access, and micro-segmentation within cloud environments are crucial in preventing this type of movement. UK organisations should treat cloud tenants as extensions of their core environment, not as separate or inherently more secure spaces.

Cloud-specific controls against lateral movement include:

  • Strong conditional access policies tied to device health, location and risk signals.
  • Just-in-time access for privileged roles and strict review of role assignments.
  • Network micro-segmentation in cloud environments and careful use of private endpoints.

UK organisations should treat cloud tenants as part of the core environment, not as separate or inherently safer infrastructure.

Business risks of lateral movement

When lateral movement is successful, the impact extends far beyond a single encrypted device.

  • Operational disruption: Simultaneous encryption of servers, endpoints and sometimes OT systems can stop operations entirely for days or weeks.
  • Data theft and extortion: Stolen customer data, IP and financial information are used to pressure victims through “name and shame” leak sites.
  • Recovery cost: Rebuilding infrastructure, conducting forensics and improving controls can easily exceed the ransom demand.
  • Reputational damage: Repeated headlines about outages and data leaks can erode customer trust, especially in regulated sectors such as healthcare, financial services, and professional services.

From a board perspective, lateral movement is the difference between a contained incident and a full-scale business crisis.

Regulatory and compliance considerations for UK organisations

For UK entities, lateral movement in ransomware incidents has clear regulatory implications:

  • If attackers reach systems holding personal data, UK GDPR obligations around breach notification and data protection apply.
  • The Information Commissioner’s Office (ICO) will expect evidence that “appropriate technical and organisational measures” were in place, including access control, monitoring and incident response.
  • Sector-specific regulators, such as the FCA and NHS bodies, increasingly expect robust cyber resilience, tested in practice rather than just on paper.

Regular security audits, risk assessments and realistic exercises help demonstrate due diligence and can reduce regulatory and legal exposure after an incident.

How Zensec can help you contain lateral movement

The lateral movement process is where ransomware operations truly become business-threatening. The good news is that this phase offers multiple opportunities to detect and stop attackers before they pull the trigger.

Zensec works with UK organisations to:

  • Run targeted assessments and ransomware-oriented penetration tests that simulate real adversaries and uncover practical lateral movement paths.
  • Design and implement pragmatic improvements in identity security, segmentation, logging and monitoring.
  • Provide incident response support when you suspect intruders in your network, from rapid triage through to containment, eradication and recovery.

If you are currently experiencing a ransomware incident or even suspect that attackers may be moving laterally in your environment, do not wait. The dwell time trend is moving sharply downwards, and delays can be the difference between a contained issue and a full estate compromise.

We make it our mission not let lateral movement happen.

If you are under attack or think something is wrong, contact Zensec immediately so our team can help you contain the threat and protect your business.