Posted on

How Ransomware Spreads Laterally Across a Network (and How to Stop It)

Ransomware Spreads Laterally Across a Network

Ransomware rarely encrypts just one machine. The initial compromise is a foothold, not the destination.

What follows is a deliberate, methodical process of moving through the network to reach the systems and data that generate the most leverage: domain controllers, file servers, backup infrastructure, and the databases that contain the information the organization cannot afford to lose.

Understanding how that lateral movement works is the foundation for stopping it.

The controls that limit lateral movement do not prevent the initial compromise. They prevent the initial compromise from becoming an enterprise-wide encryption event.

That distinction determines whether a ransomware incident is a contained, recoverable situation or an extended operational crisis.

This article covers the specific techniques ransomware uses to move laterally, what network conditions enable that movement, and the controls that stop it before it reaches the systems where the real damage occurs.

Organizations strengthening ransomware resilience should evaluate layered cybersecurity services, ransomware protection, and network security monitoring.

What Lateral Movement Is and Why It Matters

Lateral movement is the process by which an attacker, or ransomware operating on an attacker’s behalf, moves from the initial point of compromise to other systems in the network.

It is the bridge between a single infected endpoint and an organization-wide encryption event.

The initial compromise is almost never the primary target.

A phishing email that compromises a junior employee’s workstation does not immediately give the attacker access to the file server, the backup system, or the domain controller.

Getting from that initial endpoint to those high-value targets requires lateral movement through the network using techniques that exploit trust relationships, credential reuse, and network connectivity that was designed for operational convenience rather than security.

The dwell time between initial compromise and the encryption event, during which lateral movement occurs, averages days to weeks in enterprise ransomware attacks.

That window is the organization’s opportunity to detect and contain the attack before encryption begins.

It is also the window during which network architecture and access control decisions made long before the incident determine how far the attacker can reach.

The Techniques Ransomware Uses to Move Laterally

Credential Harvesting and Reuse

The most common lateral movement technique is credential harvesting followed by credential reuse across other systems in the environment.

Once ransomware or its operator has access to one system, it attempts to extract credentials stored on that system and use them to authenticate to other systems.

Credential harvesting techniques include:

  • LSASS memory dumping using tools like Mimikatz to extract plaintext passwords, password hashes, and Kerberos tickets from the Local Security Authority Subsystem Service process, which stores authentication material for currently logged-in users including administrators who have recently connected to the system.
  • Credential store extraction from browser saved passwords, Windows Credential Manager, and application-specific credential stores that users populate for convenience and that attackers harvest systematically.
  • SAM database extraction to obtain local account password hashes that can be cracked offline or used in pass-the-hash attacks against other systems with the same local administrator password, which is a common configuration in environments that have not implemented unique local administrator credentials.

The effectiveness of credential harvesting as a lateral movement enabler depends almost entirely on whether the harvested credentials are valid on other systems.

Environments where the same local administrator password is used across all endpoints, where domain administrator credentials are routinely used on user workstations, or where service accounts have excessive privileges across multiple systems give attackers a credential set that opens large portions of the environment from a single harvest.

Organizations reducing credential-based exposure should also review multi-factor authentication and Zero Trust security.

Pass-the-Hash and Pass-the-Ticket

Pass-the-hash attacks use harvested NTLM password hashes directly for authentication without needing to crack the hash to obtain the plaintext password.

Because Windows NTLM authentication accepts the hash itself as proof of identity in certain configurations, an attacker with a valid hash can authenticate to other systems as the account whose hash they possess.

Pass-the-ticket attacks operate similarly using Kerberos tickets harvested from memory.

A valid Kerberos ticket allows the attacker to authenticate to any service the ticket grants access to, for the lifetime of the ticket, without needing the account’s password.

Both techniques exploit the way Windows authentication is designed rather than flaws in specific software.

Defending against them requires architectural changes to how credentials are used and stored, not just patching.

Remote Services Exploitation

Ransomware moves laterally by connecting to remote services on other systems using harvested credentials or exploiting vulnerabilities in those services directly.

Common remote service targets include:

  • Remote Desktop Protocol where exposed RDP services allow direct interactive access to systems using harvested credentials. RDP is the most commonly exploited remote service in enterprise ransomware lateral movement because it is widely enabled, often accessible across the internal network without restriction, and provides full interactive access to the target system.
  • SMB file sharing where the Server Message Block protocol enables file access and remote execution across Windows networks. SMB-based lateral movement using techniques like PsExec allows ransomware to copy itself to remote systems and execute on them using administrative shares and harvested credentials.
  • WMI and PowerShell remoting where Windows Management Instrumentation and PowerShell provide legitimate remote management capabilities that attackers use for lateral movement because they are present on all Windows systems, generate less suspicious log activity than other tools, and allow remote code execution with minimal artifacts.
  • SSH and other administrative protocols in mixed environments where Linux systems, network devices, and specialized systems are accessible through administrative protocols that are not monitored with the same scrutiny as Windows-specific services.

Exploitation of Unpatched Vulnerabilities

Lateral movement does not always require valid credentials.

Unpatched vulnerabilities in services accessible across the network allow ransomware to compromise additional systems without authentication.

The most significant historical example is EternalBlue, the NSA-developed exploit for a vulnerability in Windows SMB that was used by WannaCry and NotPetya to propagate across networks at machine speed without requiring any credential.

While EternalBlue specifically has been widely patched, the category of unauthenticated network-accessible vulnerabilities continues to produce new lateral movement vectors as new vulnerabilities are discovered and exploit code becomes publicly available.

Environments with inconsistent patching, particularly for systems that are considered stable and therefore rarely updated, consistently present unpatched vulnerabilities that enable lateral movement without credential harvesting.

Organizations improving patching and security operations should also evaluate managed IT services and co-managed IT services.

Active Directory Attacks

Active Directory is the authentication and authorization backbone of most enterprise Windows environments.

Compromising Active Directory does not just give the attacker access to additional systems.

It gives them the ability to create credentials, modify access controls, and establish persistence that survives remediation attempts that do not fully reset the AD environment.

Active Directory attacks used for lateral movement and privilege escalation include:

  • Kerberoasting where an attacker requests Kerberos service tickets for service accounts and attempts to crack the ticket offline to obtain the service account password, which often has excessive privileges across the environment.
  • DCSync where an attacker with sufficient domain privileges replicates domain controller data to obtain all password hashes in the domain, effectively giving them credentials for every account including domain administrators.
  • Golden ticket attacks where an attacker who has compromised the KRBTGT account password creates forged Kerberos tickets that grant access to any resource in the domain for any user, valid for the lifetime of the ticket.
  • AdminSDHolder abuse where an attacker modifies the AdminSDHolder object to grant persistent elevated permissions that survive even targeted remediation of individual account modifications.

Active Directory compromise is the stage of lateral movement that most significantly extends the scope and duration of a ransomware incident, because cleaning a compromised AD environment requires more extensive work than restoring encrypted files.

Network Conditions Enable Lateral Movement

What Network Conditions Enable Lateral Movement

Lateral movement is not equally possible in every network environment.

The conditions that enable it are architectural and configuration choices that most organizations made for operational convenience without full consideration of their security implications.

Flat Network Architecture

A flat network where all systems are on the same network segment or can reach each other without restriction is the condition that most directly enables fast, broad lateral movement.

When a compromised endpoint can reach the domain controller, the backup server, the file server, and every other endpoint on the network without restriction, the attacker’s movement is limited only by the time they need to exploit each connection.

Most enterprise networks that have grown organically over years are significantly flatter than their security posture requires.

Network segmentation that was planned but never fully implemented, VLAN configurations that exist on paper but are not enforced, and firewall rules that allow broad internal traffic in the name of operational convenience all contribute to a network architecture that presents minimal resistance to lateral movement.

Excessive Privileged Access

Environments where administrative credentials are widely distributed, where the same local administrator password is used across all endpoints, where service accounts have domain-level privileges for convenience, and where users operate with local administrator rights create a credential landscape that maximizes the value of any single credential harvest.

An attacker who compromises one credential in this environment may have valid authentication to dozens or hundreds of systems from that single harvest.

Every system accessible with a harvested credential is a potential next hop in the lateral movement chain.

Inadequate Internal Traffic Monitoring

Lateral movement generates network traffic that is distinctive if someone is looking for it.

Unusual authentication patterns, connections to systems a user has never accessed before, remote execution tool usage, and high-volume file access across network shares are all signals of lateral movement in progress.

Environments without internal network monitoring, endpoint detection tools, or SIEM correlation rules that look for these patterns allow lateral movement to proceed undetected for the full dwell period.

The attacker moves freely because no one is watching the movement.

Permissive Backup System Access

Backup systems accessible from the production network through the same credentials and protocols used for production access are reachable by ransomware that has obtained those credentials.

Attackers specifically target backup systems during the dwell period because eliminating the recovery option is what converts a recoverable incident into a payment situation.

Organizations improving backup resilience should also review business continuity planning.

The Controls That Stop Lateral Movement

The controls that most effectively limit lateral movement operate at three levels:

  • Reducing the network paths available for movement
  • Reducing the credential value available to fuel movement
  • Detecting movement in progress before it reaches critical systems

Network Segmentation

Network segmentation divides the environment into distinct zones with controlled, monitored traffic flows between them.

A properly segmented network means that ransomware that compromises an endpoint in the user workstation segment cannot directly reach the server segment, the backup segment, or the OT segment without traversing a firewall or other enforcement point that can detect and block unauthorized traffic.

Effective segmentation for ransomware lateral movement control requires:

  • Micro-segmentation of server and backup infrastructure from user endpoint segments, so that the most valuable recovery assets are not directly reachable from the endpoints most likely to be initially compromised.
  • Strict east-west traffic controls that limit which systems can communicate with which other systems within the same segment, not just traffic crossing segment boundaries.
  • Backup system isolation on a separate network segment with access controls that prevent production systems from initiating connections to backup infrastructure without explicit authorization through monitored pathways.
  • OT and IT separation in environments with operational technology, where the network boundary between IT and OT systems is enforced at a hardware level rather than through software controls that can be bypassed by an attacker with sufficient access.

Segmentation does not prevent lateral movement.

It limits the blast radius of lateral movement by containing it within the segment where the initial compromise occurred and requiring the attacker to traverse monitored boundaries to reach additional segments.

Privileged Access Management

Privileged Access Management addresses the credential conditions that fuel lateral movement by controlling who has privileged access, what systems they can access with it, and how those credentials are managed.

Key PAM controls for lateral movement limitation include:

  • Unique local administrator passwords on every endpoint through tools like Microsoft Local Administrator Password Solution, which eliminates the condition where a single harvested local admin hash is valid across all endpoints in the environment.
  • Privileged Access Workstations for administrative tasks that isolate administrative credential use to dedicated systems that are not used for email, web browsing, or other activities that expose them to initial compromise vectors.
  • Just-in-time privileged access that grants elevated permissions only when needed and for limited durations, reducing the window during which privileged credentials exist in memory on systems where they can be harvested.
  • Service account privilege reduction that limits service account permissions to the minimum required for the service to function, eliminating the condition where a single service account compromise provides broad access across the environment.

Endpoint Detection and Response

Endpoint Detection and Response tools provide visibility into process execution, network connections, file system activity, and authentication events on individual endpoints that enables detection of lateral movement techniques in progress.

EDR tools detect lateral movement through behavioral analysis that identifies suspicious patterns including LSASS memory access by non-system processes, execution of known lateral movement tools, unusual authentication sequences, and remote execution tool usage that does not match established administrative patterns.

The detection value of EDR tools depends on whether the alerts they generate are monitored and acted upon.

EDR deployed without a response capability, either internal security operations or a managed detection and response service, produces alerts that contribute to the detection gap rather than closing it.

Organizations improving endpoint visibility should also review managed security services.

Multi-Factor Authentication

Multi-factor authentication on all remote access, privileged access, and critical system authentication eliminates the effectiveness of pass-the-hash and credential reuse attacks for services that enforce MFA.

An attacker with a valid password hash cannot authenticate to a service that requires a second factor they do not possess.

MFA implementation must cover the specific services that ransomware most commonly uses for lateral movement.

MFA on the VPN while RDP remains accessible with password-only authentication addresses one pathway while leaving another open.

Organizations strengthening authentication security should also review multi-factor authentication solutions.

Patch Management

Consistent patch management eliminates the unauthenticated vulnerability exploitation pathway for lateral movement.

Systems that are current on security patches do not present the unpatched network-accessible vulnerabilities that ransomware uses for authentication-free lateral movement.

Patch management in the context of lateral movement control requires particular attention to systems that are considered stable and infrequently updated, because those systems accumulate the vulnerability debt that produces the most exploitable lateral movement opportunities.

Meet Our CEO, Matt Rosenthal

With more than 30 years of experience in business and technology leadership, Matt Rosenthal has helped organizations across healthcare, finance, legal, manufacturing, and defense build the network architecture and security controls that limit ransomware lateral movement before an incident occurs.

As President and CEO of Mindcore Technologies, Matt leads a team that specializes in the cybersecurity infrastructure that determines whether a ransomware compromise remains contained or becomes an enterprise-wide encryption event.

Matt’s approach to lateral movement control focuses on the architectural decisions that create durable protection:

  • Network segmentation that limits blast radius
  • Privileged access management that reduces credential value
  • Detection capabilities that identify movement in progress before it reaches critical systems

Frequently Asked Questions

How quickly can ransomware spread laterally across a flat network?

In a flat network with no segmentation and widely shared credentials, automated ransomware propagation can reach hundreds of systems within minutes.

The 2017 WannaCry outbreak demonstrated network-speed propagation using EternalBlue, encrypting hundreds of thousands of systems across unpatched flat networks globally within hours of initial deployment.

Modern ransomware operated by human threat actors typically moves more deliberately during the dwell period, taking days to weeks to map the environment and reach high-value targets, but automated propagation components can still spread rapidly once triggered.

Does network segmentation require replacing existing network infrastructure?

Not necessarily.

Many existing network environments can implement meaningful segmentation through firewall rule changes, VLAN configuration, and access control list modifications on existing infrastructure without hardware replacement.

The scope of infrastructure changes depends on the current network architecture and the level of segmentation required.

A network architecture assessment identifies what segmentation is achievable with existing infrastructure and what changes require new investment.

What is the difference between lateral movement and privilege escalation?

Lateral movement is horizontal: moving from one system to another system at a similar privilege level.

Privilege escalation is vertical: gaining higher privileges on a system than the initial compromise provided.

Both typically occur together in a ransomware attack because reaching high-value targets usually requires both movement to the system where those targets reside and sufficient privileges to encrypt or exfiltrate the data on that system.

Controlling lateral movement limits the systems an attacker can reach.

Controlling privilege escalation limits what they can do on systems they reach.

Can EDR tools stop lateral movement entirely?

EDR tools detect lateral movement techniques and enable response, but they do not stop movement that occurs before detection and response actions are taken.

The value of EDR in lateral movement control is the reduction of dwell time between when movement begins and when it is detected and contained.

Faster detection produces faster containment, which limits how far movement progresses before intervention.

EDR is most effective as part of a layered control set that includes network segmentation, PAM, and MFA, because any single control has limitations that the others compensate for.

How do we know if lateral movement has already occurred in our environment?

Without active monitoring, you often do not know until the encryption event occurs.

Indicators that lateral movement may be in progress or has occurred include:

  • Unusual authentication events in domain controller logs
  • Processes accessing LSASS memory on endpoints
  • Connections between systems that do not have an established communication pattern
  • The presence of known lateral movement tools or their artifacts in endpoint logs

A compromise assessment by a professional security team can evaluate whether indicators of lateral movement exist in your environment even in the absence of an active incident.

Build the Architecture That Contains Ransomware Before It Spreads

The organizations that contain ransomware to a single endpoint or a single segment are not the ones with better initial compromise prevention.

They are the ones that built the network architecture, access controls, and detection capabilities that make lateral movement difficult, slow, and visible.

Those architectural investments do not prevent every attack.

They prevent the initial compromise from becoming the enterprise-wide encryption event that defines the worst ransomware outcomes.

Mindcore’s cybersecurity services and managed IT services help organizations across healthcare, finance, legal, manufacturing, and defense build the network segmentation, privileged access management, and detection capabilities that limit ransomware lateral movement.

If your current environment presents the flat architecture, shared credentials, and monitoring gaps that enable fast, broad lateral movement, contact Mindcore to assess and address those conditions before an incident requires you to.

Source content adapted from uploaded file. :contentReference[oaicite:0]{index=0}

Related Posts

Matt Rosenthal