By Garrett Kohlrusch | GK Data LLC
The word “ransomware” still conjures an image of something forcing its way in — exploiting a vulnerability, bypassing a firewall, cracking through defenses. That mental model is outdated, and it’s part of why organizations keep getting hit despite investing in security tools.
Modern ransomware operations don’t need to break in. They log in.
The typical ransomware intrusion in 2025 starts with a credential — stolen via phishing, purchased from an initial access broker on a criminal marketplace, or pulled from a previous breach and found to still work because the password was never rotated. From there, the attacker moves through the environment using legitimate access, legitimate tools, and legitimate-looking behavior. By the time encryption begins, they’ve often been present for days or weeks.
The perimeter security model — keep the bad actors out, trust what’s inside — doesn’t address this. An attacker with valid credentials is inside. If everything inside is trusted, the attacker is too.
Why Traditional Defenses Fall Short
Firewalls and antivirus were designed for a threat model that assumes the malicious thing looks different from the legitimate thing. Malware looks different from normal executables. Intrusion looks different from normal network traffic.
That assumption doesn’t hold when the attacker is using your own credentials, your own remote access tools, and your own legitimate administrative functions to move through the environment. Behavior that’s indistinguishable from normal operations won’t trigger signature-based detection. And if your monitoring is primarily perimeter-focused, lateral movement inside the network may go undetected entirely.
The ransomware groups that consistently succeed aren’t necessarily the most technically sophisticated. They’re the most patient. They take time to understand the environment, identify the backup infrastructure, escalate privileges, and position themselves before triggering encryption. The encryption itself is the last step — everything leading up to it is where the real access happens.
What Zero Trust Actually Means
Zero Trust gets invoked as a buzzword frequently enough that it’s worth being precise about what it actually requires.
The core principle is this: no user, device, or network connection is trusted by default — regardless of where it originates. Access to any resource requires authentication, authorization, and continuous verification. Being inside the network perimeter grants nothing on its own.
In practice, Zero Trust means several things implemented together:
Identity is the perimeter. Every access request is authenticated at the time of the request, not assumed to be legitimate because it came from an internal IP. Multi-factor authentication is not optional — it’s the baseline. Privileged accounts require stronger verification than standard ones, and administrative access should be time-limited where possible.
Least privilege is enforced, not assumed. Users and systems have access to what they need for their function — nothing more. An employee whose credentials are compromised should not be able to reach systems their role has no reason to touch. Lateral movement depends on over-permissioned accounts; restricting permissions limits the blast radius when credentials are stolen.
Microsegmentation limits lateral movement. Rather than a flat network where everything can reach everything, network segments are divided so that access between them requires explicit authorization. A compromised endpoint in one segment can’t freely communicate with systems in another. This is one of the most effective controls against ransomware spread — the attacker can’t pivot from a workstation to the backup infrastructure if the network doesn’t permit that communication.
Monitoring assumes breach. Zero Trust treats compromise as an eventual certainty, not a remote possibility. Logging is comprehensive. Behavioral anomalies — unusual login times, unexpected lateral connections, bulk file access — trigger alerts rather than passing unnoticed. The question isn’t just whether someone got in, but whether you’d know.
Backups are isolated and tested. Ransomware operators specifically target backup infrastructure because destroying the backup removes the recovery option. Backups that are network-accessible from compromised systems are reachable. Offline or immutable backups in a separate environment are not. And backups that haven’t been tested for recovery are assumptions, not guarantees.
The Gap Between Having Tools and Having Controls
Many organizations have some of these components already — an MFA solution, a backup system, a monitoring platform. What’s less common is having them configured correctly, maintained, and tested.
MFA that can be bypassed through SIM swapping or prompt fatigue attacks isn’t the control it appears to be. Backups stored in the same environment as the systems they protect aren’t isolated. Monitoring that generates alerts no one reviews isn’t monitoring. The gap between having a tool and having a functioning control is where ransomware operators consistently find their opening.
A Zero Trust architecture isn’t a product you buy. It’s a set of verified, tested controls that reduce the attacker’s ability to move, escalate, and persist after the inevitable initial compromise.
How GK Data LLC Can Help
Understanding your actual exposure requires testing, not assumption. We assess the controls organizations have in place — authentication configuration, network segmentation, privilege structures, backup architecture — from the perspective of someone trying to exploit them.
If you’ve never had that assessment, or if your environment has grown substantially since the last one, the controls you think you have may not be performing the way you expect.
[email protected] | gkdata.io
GK Data LLC — Minneapolis, MN. Web application security, and managed IT services.