Most ransomware playbooks don't address machine credentials. Attackers know it.
Source: VentureBeat
The Gap Between Ransomware Threats and Defenses Is Widening
Ivanti’s 2026 State of Cybersecurity Report found that the preparedness gap widened by an average of 10 points year‑over‑year across every threat category the firm tracks.
- Ransomware had the widest spread: 63 % of security professionals rate it a high or critical threat, but only 30 % say they are “very prepared” to defend against it – a 33‑point gap, up from 29 points a year ago.
CyberArk’s 2025 Identity Security Landscape puts numbers to the problem:
- 82 machine identities for every human in organizations worldwide.
- 42 % of those machine identities have privileged or sensitive access.
The Most Authoritative Playbook Framework Has the Same Blind Spot
Gartner’s ransomware preparation guidance (April 2024 research note “How to Prepare for Ransomware Attacks”) is the reference most enterprise security teams use when building incident‑response procedures.
- The note calls out the need to reset “impacted user/host credentials” during containment.
- The accompanying Ransomware Playbook Toolkit walks teams through four phases: containment, analysis, remediation, and recovery.
- The credential‑reset step instructs teams to ensure all affected user and device accounts are reset.
What’s Missing?
- Service accounts
- API keys, tokens, and certificates
The most widely used playbook framework stops at human and device credentials. Organizations that follow it inherit that blind spot without realizing it.
The same research note identifies the problem without connecting it to the solution:
“Poor identity and access management (IAM) practices remain a primary starting point for ransomware attacks,” Gartner warns.
“Previously compromised credentials are being used to gain access through initial‑access brokers and dark‑web data dumps.”
In the recovery section, the guidance is explicit:
“Updating or removing compromised credentials is essential because, without that step, the attacker will regain entry.”
Machine identities are IAM. Compromised service accounts are credentials. But the playbook’s containment procedures address neither.
Gartner frames the urgency in terms few other sources match:
“Ransomware is unlike any other security incident. It puts affected organizations on a countdown timer. Any delay in the decision‑making process introduces additional risk.”
The same guidance emphasizes that recovery costs can amount to 10 × the ransom itself, and that ransomware is being deployed within one day of initial access in more than 50 % of engagements. The clock is already running, but the containment procedures don’t match the urgency—not when the fastest‑growing class of credentials goes unaddressed.
The Readiness Deficit Runs Deeper Than Any Single Survey
Ivanti’s report tracks the preparedness gap across every major threat category: ransomware, phishing, software vulnerabilities, API‑related vulnerabilities, supply‑chain attacks, and even poor encryption. Every single one widened year over year.
“Although defenders are optimistic about the promise of AI in cybersecurity, Ivanti’s findings also show companies are falling further behind in terms of how well prepared they are to defend against a variety of threats,” said Daniel Spicer, Ivanti’s Chief Security Officer.
“This is what I call the ‘Cybersecurity Readiness Deficit,’ a persistent, year‑over‑year widening imbalance in an organization’s ability to defend their data, people, and networks against the evolving threat landscape.”
Industry‑Specific Findings (CrowdStrike 2025 State of Ransomware Survey)
| Industry | % “Very Well Prepared” | % Recovered Within 24 h | % Suffered Significant Disruption |
|---|---|---|---|
| Manufacturers | 12 % | 12 % | 40 % |
| Public Sector | — | 12 % | — |
- Across all industries, only 38 % of organizations that suffered a ransomware attack fixed the specific issue that allowed attackers in. The rest invested in general security improvements without closing the actual entry point.
- 54 % of organizations said they would—or probably would—pay if hit by ransomware today (2026 report), despite FBI guidance against payment. That willingness to pay reflects a fundamental lack of containment alternatives, exactly the kind that machine‑identity procedures would provide.
Where Machine‑Identity Playbooks Fall Short
Five containment steps define most ransomware response procedures today. Machine identities are missing from every one of them.
1. Credential Resets Weren’t Designed for Machines
Resetting every employee’s password after an incident is standard practice, but it doesn’t stop lateral movement through a compromised service account. Gartner’s own playbook template shows the blind spot clearly.
Ransomware Playbook Sample – Containment Sheet (Credential Reset Steps)
1. Force logout of all affected user accounts via Active Directory.
2. Force password change on all affected user accounts via Active Directory.
3. Reset the device account via Active Directory.Three steps, all Active Directory, zero non‑human credentials. No service accounts, no API keys, no tokens, no certificates.
Machine credentials need their own chain of command.
2. Nobody Inventories Machine Identities Before an Incident
You can’t reset credentials that you don’t know exist. Service accounts, API keys, and tokens need ownership assignments mapped pre‑incident. Discovering them mid‑breach costs days.
- Only 51 % of organizations even have a cybersecurity exposure score (Ivanti), meaning nearly half couldn’t tell the board their machine‑identity exposure if asked tomorrow.
- Only 27 % rate their risk‑exposure assessment as “excellent,” despite 64 % investing in exposure management.
The gap between investment and execution is where machine identities disappear.
3. Network Isolation Procedures Overlook Machine‑Identity Traffic
(Section truncated in the original content.)
Takeaway
The most widely referenced ransomware playbooks ignore machine identities, leaving a critical blind spot that attackers exploit. Closing the Cybersecurity Readiness Deficit requires:
- Comprehensive inventory of all machine identities (service accounts, API keys, tokens, certificates).
- Dedicated reset/rotation processes for non‑human credentials during containment.
- Integration of machine‑identity controls into every phase of the ransomware response lifecycle (containment, analysis, remediation, recovery).
Only by expanding playbooks to include these steps can organizations truly narrow the preparedness gap and reduce the costly, time‑sensitive impact of ransomware attacks.
Machine Identities Don’t Respect Network Perimeters
Pulling a machine off the network doesn’t revoke the API keys it issued to downstream systems. Containment that stops at the network perimeter assumes trust is bounded by topology, but machine identities authenticate across that boundary.
- Gartner warns that adversaries can spend days‑to‑months burrowing laterally, harvesting credentials for persistence before deploying ransomware.
- During this “burrowing” phase, service accounts and API tokens are the credentials most easily harvested without triggering alerts.
- CrowdStrike reports that 76 % of organizations are concerned about ransomware spreading from an unmanaged host over SMB network shares.
What security leaders need: Map which systems trust each machine identity so they can revoke access across the entire chain, not just the compromised endpoint.
Detection Logic Isn’t Built for Machine Behavior
Anomalous machine‑identity behavior doesn’t trigger alerts the way a compromised user account does.
- Unusual API‑call volumes
- Tokens used outside automation windows
- Service accounts authenticating from new locations
These require detection rules that most SOCs haven’t written.
- CrowdStrike survey: 85 % of security teams say traditional detection methods can’t keep pace with modern threats.
- Only 53 % have implemented AI‑powered threat detection.
Result: The detection logic that would catch machine‑identity abuse barely exists in most environments.
Stale Service Accounts Remain the Easiest Entry Point
Accounts that haven’t been rotated in years—often created by employees who left long ago—are the single weakest surface for machine‑based attacks.
- Gartner recommends strong authentication for “privileged users, such as database and infrastructure administrators and service accounts,” but places this guidance in the prevention section, not the containment playbook where it’s needed during an active incident.
- Orphan‑account audits and rotation schedules belong in pre‑incident preparation, not in post‑breach scrambles.
The Economics Make This Urgent Now
Agentic AI Will Multiply the Problem
- 87 % of security professionals say integrating agentic AI is a priority.
- 77 % are comfortable allowing autonomous AI to act without human oversight (Ivanti report).
- Only 55 % use formal guardrails.
Each autonomous agent creates new machine identities that authenticate, make decisions, and act independently. If organizations can’t govern today’s machine identities, they’ll soon face an order‑of‑magnitude increase in risk.
Ransomware Recovery Costs
- Gartner estimates total recovery costs at 10 × the ransom itself.
- CrowdStrike: average ransomware downtime cost = $1.7 M per incident (public sector = $2.5 M).
- 93 % of organizations that paid still had data stolen; 83 % were attacked again.
- Nearly 40 % could not fully restore data from backups.
Adversary groups now encrypt files remotely over SMB shares from unmanaged systems, never transferring the ransomware binary to a managed endpoint.
What Leaders Should Do Now
- Build a machine‑identity inventory and keep it up‑to‑date.
- Create detection rules for anomalous machine behavior (API volume spikes, off‑hours usage, new locations).
- Develop containment procedures that revoke trust across the entire identity chain, not just the compromised host.
- Integrate these controls into playbooks and test them in tabletop exercises.
If these additions survive the next tabletop exercise, they’ll be more likely to hold up in a real incident—closing the gap attackers are exploiting today and positioning the organization to govern the autonomous identities arriving tomorrow.