The Overlooked Threat: Machine Credentials in Ransomware Attacks

Ransomware Threats Outpacing Defenses: The Growing Preparedness Gap

The gap between ransomware threats and the defenses meant to stop them is widening, according to Ivanti’s 2026 State of Cybersecurity Report. The report revealed that the preparedness gap has increased by an average of 10 points year over year across all threat categories tracked by the firm. Ransomware emerged as the most concerning threat, with 63% of security professionals rating it as a high or critical threat. However, only 30% claim to be “very prepared” to defend against it, resulting in a 33-point gap that has grown from 29 points in the previous year.

CyberArk’s 2025 Identity Security Landscape report highlighted the significant imbalance in organizations, with 82 machine identities for every human. Of these machine identities, 42% have privileged or sensitive access.

The Blind Spot in Playbook Frameworks

Gartner’s ransomware preparation guidance, outlined in the April 2024 research note “How to Prepare for Ransomware Attacks,” emphasizes the importance of resetting “impacted user/host credentials” during containment. However, the accompanying Ransomware Playbook Toolkit falls short by not addressing service accounts, API keys, tokens, and certificates. This oversight leaves organizations vulnerable to attacks without realizing it.

Gartner warns that “poor identity and access management (IAM) practices” are a primary starting point for ransomware attacks, with compromised credentials being used to gain access through initial access brokers and dark web data dumps. Despite this, the playbook fails to address the containment of machine identities, which are crucial in preventing ransomware attacks.

The Urgency of Addressing the Readiness Deficit

Ivanti’s report highlights the widening preparedness gap across various threat categories, including ransomware, phishing, software vulnerabilities, API-related vulnerabilities, and supply chain attacks. The lack of preparedness is concerning, as organizations fall behind in defending their data, people, and networks against evolving threats.

Daniel Spicer, Ivanti’s Chief Security Officer, coined the term “Cybersecurity Readiness Deficit” to describe the persistent imbalance in organizations’ ability to defend against threats. Despite optimism about the potential of AI in cybersecurity, companies are struggling to keep up with the evolving threat landscape.

The Impact Across Industries

CrowdStrike’s 2025 State of Ransomware Survey reveals the impact of the readiness deficit across industries. Manufacturers and public sector organizations face challenges in recovering from ransomware attacks, with only a small percentage able to recover within 24 hours. Many organizations invest in general security improvements without addressing the specific vulnerabilities that allowed attackers to gain access.

Despite FBI guidance against paying ransom, 54% of organizations are willing to consider payment if hit by ransomware. This willingness underscores the lack of containment alternatives, particularly in machine identity procedures.

Challenges in Machine Identity Playbooks

Current ransomware response procedures lack consideration for machine identities, which are crucial in preventing lateral movement and containing attacks. Key challenges include:

Credential Resets for Machines

Resetting employee passwords post-incident does not address compromised service accounts, API keys, tokens, or certificates. Machine credentials require a distinct approach that is often missing in containment procedures.

Lack of Machine Identity Inventories

Many organizations fail to inventory machine identities pre-incident, leading to delays in responding to breaches. Discovering machine identities mid-breach can be time-consuming and costly.

Inadequate Network Isolation

Network isolation measures do not revoke trust chains associated with machine identities. Adversaries can exploit this weakness by harvesting credentials for persistence before deploying ransomware.

Insufficient Detection Logic

Traditional detection methods may not capture anomalous machine identity behavior, such as unusual API call volumes or unauthorized access. Security teams need to implement AI-powered threat detection to keep pace with modern threats.

Stale Service Accounts as Vulnerabilities

Stale service accounts pose a significant risk as they are often overlooked and remain unchanged for years. Security teams must prioritize auditing and rotating service accounts to prevent machine-based attacks.

Addressing the Urgency and Economic Impact

The rise of agentic AI poses a new challenge in managing machine identities, with security professionals prioritizing AI integration but lacking formal guardrails. The economic impact of ransomware attacks is substantial, with recovery costs averaging 10 times the ransom amount.

By incorporating machine identity inventory, detection rules, and containment procedures into their playbooks, security leaders can bridge the gap in defending against ransomware threats and prepare for the influx of autonomous identities. The time to act is now to prevent further exploitation by attackers and safeguard against future threats.