Key Takeaways
Hybrid work, cloud adoption, and identity sync have expanded ransomware entry points beyond the perimeter
Attackers now rely on valid credentials, remote access tools, and hybrid identity abuse, not just malware
Detection gaps in east-west cloud traffic and unmanaged endpoints allow attackers to operate undetected
Multi-environment breaches result in higher costs and longer containment times due to fragmented visibility
Ransomware risk has shifted from perimeter defense to identity, visibility, and infrastructure control
Five years ago, enterprise ransomware risk was mostly a perimeter problem. Today it’s an identity problem, a visibility problem, and a cloud configuration problem, all at once. Hybrid work and cloud adoption didn’t just shift where people work. They fundamentally changed where ransomware attacks begin, how far they reach, and how long they go undetected.
What Changed: Why Hybrid Work and Cloud Adoption Caused It
Before distributed work became standard, most enterprise endpoints sat on managed corporate networks. Active Directory was on-premises. Cloud workloads were limited. The attack surface was relatively bounded and mostly visible from the perimeter.
Three shifts changed that simultaneously. First, remote work pushed endpoints onto home networks and personal devices, outside EDR coverage, outside asset management, outside the visibility of security tools entirely. Second, cloud adoption moved critical workloads, sensitive data, and identity systems off-premises and into environments where east-west traffic between systems goes largely unmonitored. Third, hybrid identity, specifically the synchronization layer connecting on-premises AD to cloud identity platforms like Entra ID, creating high-privilege account bridges that most organizations never hardened or adequately monitored.
Each of those shifts independently expanded the ransomware attack surface. Together, they created conditions where attackers can gain initial access through a credential stolen off a personal laptop, move laterally through cloud infrastructure without triggering a single alert, and destroy backup infrastructure via API before anyone detects them. None of that attack chain was possible at the same scale before 2020.
The data reflects it. Ransomware appeared in 44% of all confirmed breaches1 in the Verizon 2025 DBIR, up from 32% the prior year. That 12-point increase didn’t come from new malware. It came from a wider, harder-to-monitor attack surface that hybrid infrastructure created. IBM’s 2025 breach data2 shows breaches crossing multiple environments now cost $5.05M on average and take 276 days to contain, the worst numbers of any configuration, driven directly by the detection gaps hybrid environments introduce.
How Hybrid Work and Cloud Adoption Changed the Ransomware Attack Surface
The numbers quantify what those three structural shifts produced. In 2025, ransomware showed up in 44% of confirmed breaches globally, up from 32% the year before. US organizations absorbed this hardest: average data breach costs hit $10.22M, an all-time high, compared to $4.44M globally. Multi-environment breaches averaged $5.05M and 276 days to contain, the worst cost and dwell time of any infrastructure configuration.
44%
of all confirmed breaches involved ransomware in 2025, the highest rate recorded
$10.22M
average US data breach cost in 2025, an all-time record high
276 days
average time to identify and contain a multi-environment breach
Top Ransomware Risks Introduced by Hybrid Work and Cloud Adoption
Six specific risks account for most of what’s changing. Each one maps to confirmed attack patterns in 2025 CISA advisories, IBM X-Force IR data, and Microsoft Threat Intelligence, not projections.
1. Credential theft via infostealer malware on unmanaged devices
As per Verizon DBIR 2025, compromised credentials were the initial access vector in 22% of breaches. 46% of devices turning up in infostealer logs with corporate login data were unmanaged personal endpoints, entirely outside enterprise monitoring. The credentials get scraped off those devices, packaged, sold. A ransomware affiliate buys access and authenticates with a valid username and password. Nothing looks suspicious. 54% of organizations that appeared on extortion sites had already shown up in at least one infostealer log beforehand. The signal was there.
2. Unpatched VPN appliances and remote access tools as the most common entry point
Vulnerability exploitation grew 34% year over year as an initial access method and is now behind 20% of breaches, per Verizon DBIR 2025. VPN appliances are the primary target. They sit at the boundary between corporate networks and the internet, frequently go unpatched, and provide direct network access when exploited. The CISA/FBI Akira advisory updated November 20253 lists unpatched VPN products and backup servers as the group’s primary entry method. Akira had pulled approximately $244M in proceeds by late September 2025. That’s what exploiting a single unpatched appliance class at scale produces.
3. Hybrid identity misconfigurations enabling on-premises to cloud pivot
Storm-0501, documented by Microsoft Threat Intelligence in August 20254, got into on-premises Active Directory, found the AD Connect sync account, compromised it, and used it to authenticate into Entra ID as Global Administrator. No malware. Just a legitimate sync credential that carried too much privilege and wasn’t being watched. IBM X-Force5 confirmed this exact pattern across multiple 2025 IR engagements. The AD Connect component is the specific crossing point: high privilege, under-monitored, and rarely hardened to match what it can access.
4. No east-west visibility inside cloud environments during lateral movement
Only 17% of organizations have full east-west visibility inside their cloud environments. That’s from Check Point’s Cloud Security Report 2025, which surveyed 900+ CISOs. The other 83% can’t see what moves between their cloud workloads. Ransomware groups run reconnaissance, map systems, and escalate privileges inside that blind spot. By the time detection rules trigger on endpoint behavior, the attacker has already been in the environment for days mapping it out and identifying sensitive data to exfiltrate.
5. Cloud backup destruction eliminating rapid recovery options
If backup management runs inside the same cloud tenant an attacker controls, wiping it is a few API calls. Groups like Storm-0501 do this before deploying encryption: destroy recovery options first, then encrypt. Sophos surveyed 1,733 enterprise organizations6 between January and March 2025. Backup use as a recovery method dropped to 53%, a four-year low, down from 73% the prior year. That number fell because backups are being destroyed, not because organizations stopped making them. Immutable backups isolated from the primary cloud tenant are the only counter, and they need to be tested to confirm the isolation actually holds.
Real attack paths attackers use:
Stolen credential access
VPN exploitation entry
AD sync abuse
Cloud lateral movement
6. Data exfiltration enabling double extortion before file encryption
Data walks out before encryption starts. Always. Cloud APIs and storage services make exfiltration fast enough that by the time a ransom note arrives, the sensitive data is already somewhere else. Paying to decrypt files doesn’t solve that. FBI IC3 20247 shows ransomware complaints up 9% year over year, with double extortion tactics running specifically across healthcare, manufacturing, and financial services, particularly sectors where data exposure causes regulatory consequences on top of operational ones.
“46% of the systems with corporate logins in their compromised data were non-managed, meaning they were personal devices.”
Why Ransomware Attacks Cost More in Multi-Cloud Environments
Multi-cloud plus on-premises: $5.05M average breach cost, 276 days to contain. On-premises only: $4.01M, 217 days. That million-dollar gap and those 59 extra days aren’t from harder attacks. They come from fragmented visibility. When data is spread across environments that weren’t built to be monitored together, detection lags. And every extra day the attacker is in the environment costs money.
Nine months of undetected access. That’s what 276 days means operationally. IBM’s data also shows organizations that contained breaches in under 200 days saved an average $1.12M versus those that ran longer. Advanced threat detection that covers multi-environment visibility directly determines how much a ransomware incident costs, not just whether you get hit.
Which Ransomware Groups Are Actively Targeting Hybrid Cloud Infrastructure?
Four groups have active government advisories for campaigns specifically targeting hybrid enterprise infrastructure. All four are still operating.
GroupInitial Access MethodCloud/Hybrid TacticStatus
AkiraExploited VPN vulnerabilities (SonicWall CVE-2024-40766); stolen credentialsExfiltrates via FTP, SFTP, cloud storage before encrypting. Akira_v2 targets Windows and LinuxActiveStorm-0501Stolen credentials; compromised AD Connect sync accountsPivots from on-premises AD into Entra ID. Destroys cloud backups via API. No malware binaries requiredActiveInterlockDrive-by downloads; fake browser update luresTargets VMs across Windows and Linux. Double extortion via cloud-hosted leak sitesActivePlayDark web credential purchases; FortiOS and Exchange exploitationLateral movement through AD domain trust relationships; targets cloud-connected systems after initial footholdActive
Healthcare: highest-targeted critical infrastructure sector. FBI IC3 2024 recorded 238 ransomware incidents against US healthcare, more than any other sector. Operational disruption in healthcare creates acute pressure to pay quickly. CISA’s November 2025 Akira update confirms the group is actively expanding into healthcare, financial services, and critical manufacturing. Patient data under HIPAA is also among the most valuable for double extortion.
Enterprise Ransomware Protection: Controls Mapped to Actual Attack Techniques
The table maps confirmed 2025 attack techniques to specific defensive controls. If a technique isn’t in those sources, it’s not in this table.
Attack StageDocumented TechniqueRansomware Protection ControlPriority
Initial AccessInfostealer malware on unmanaged devices; phishing targeting cloud app logins; unpatched VPN exploitationPhishing-resistant multi-factor authentication; device posture enforcement at login; patch VPN and perimeter devices by exposure risk; monitor corporate domains in infostealer credential feedsImmediateReconnaissanceMapping AD structure, Entra ID tenants, and domain trust using legitimate admin tools and blends with normal trafficBehavioral analytics on privileged account activity; alert on unusual AD enumeration and service queries; threat intelligence integration for known recon tool signaturesImmediateLateral MovementAbusing AD Connect sync accounts; exploiting domain trust to cross the on-premises to cloud boundaryEast-west network visibility inside cloud workloads; Active Directory threat detection covering sync account activity; network segmentation between on-premises and cloud resources; restrict sync accounts to known IPsImmediatePrivilege EscalationEscalating via accounts with admin roles in both AD and cloud identity; exploiting overly permissive cloud rolesStrict access controls enforcing least privilege; audit all accounts with elevated roles across both environments; enforce multi-factor authentication on every admin account without exceptionImmediateData ExfiltrationLarge outbound data transfers via cloud APIs and storage services before encryption beginsReal-time threat detection on anomalous outbound volumes; data loss prevention across all network traffic including encrypted channels; baseline normal movement patterns to catch deviationsImmediateImpactDeleting backups via cloud API; encrypting endpoints and servers; removing volume shadow copiesImmutable backups isolated from primary cloud tenant; test data recovery under ransomware-like conditions; ransomware recovery plan with defined decision points and law enforcement notificationHigh
Sources: CISA advisories, Verizon DBIR 2025, IBM X-Force IR data.
One figure most incident response plans skip: IBM 2025 found organizations that brought in law enforcement saved $990,000 per breach on average versus those that handled it internally. Put that step in the ransomware recovery plan before you need it, not after the ransom note lands.
No East-West Visibility: The Cloud Security Gap Most Teams Underestimate
Only 17% of organizations have full east-west visibility inside their cloud environments, as per Check Point’s Cloud Security Report 2025, which surveyed 900+ CISOs. Perimeter tools watch what crosses the network boundary. What moves between cloud workloads internally goes mostly unseen. That 83% blind spot is exactly where ransomware lateral movement runs, specifically after initial access, while attackers are mapping systems and locating backup infrastructure before triggering encryption.
45% of security teams are fielding 500+ alerts per day. In that environment, the low-and-slow reconnaissance behavior ransomware groups use gets lost. Endpoint detection and response alone doesn’t solve it. Catching lateral movement between cloud workloads needs visibility at the network layer inside those environments, not just signatures on endpoints.
How Fidelis Elevate® Addresses These Ransomware Risks
Fidelis Elevate® brings network detection and response, endpoint detection and response, cloud workload security, Active Directory protection, and deception technology into one platform. The architecture is built around the gaps the six risks above expose, not generic threat coverage.
The east-west visibility problem gets addressed through patented Deep Session Inspection for packet-level analysis across all ports and protocols, including encrypted traffic, with full session reconstruction. This helps address gaps in internal cloud network visibility, an area many organizations still struggle to fully monitor. It can help detect potential data exfiltration by flagging anomalous outbound transfer activity, improving the chances of identifying threats before encryption begins.
For the hybrid identity attack path Storm-0501 used, the Active Directory Intercept component watches AD Connect sync account activity, Entra ID authentication patterns, and AD log events simultaneously. Privilege escalation attempts across hybrid identity components can be correlated and surfaced as alerts, reducing the risk of activity going unnoticed between on-premises and cloud environments.
Cloud workload visibility maps misconfigurations and unmanaged assets, the exact things ransomware groups find during reconnaissance. The deception layer goes further. Decoys deployed across network and cloud environments are designed to detect attacker reconnaissance activity and generate high-confidence alerts earlier in the attack lifecycle. This supports earlier detection, which can improve response time and limit potential impact.
Enterprise Ransomware Protection Checklist for 2026
Audit every admin account in both on-premises AD and cloud identity. Multi-factor authentication enforced with no exceptions across all privileged accounts.
Lock AD Connect and Directory Sync accounts to known IPs. Alert immediately on any password reset or configuration change to these accounts.
Deploy east-west network visibility inside cloud environments. Perimeter monitoring misses lateral movement between cloud workloads entirely.
Enforce strict access controls using least privilege. Overly permissive cloud roles are a documented privilege escalation path in active ransomware campaigns.
Patch VPNs and remote access tools by exposure risk, not just CVSS score. These are the most consistently exploited initial access surfaces in 2025 CISA data.
Monitor corporate domains in infostealer credential feeds. Domain exposure in those logs typically precedes active ransomware campaigns by 24-48 hours.
Test backup data recovery under ransomware-like conditions. Confirm immutable backups cannot be deleted via API from the primary cloud tenant.
Build law enforcement notification into the incident response plan before an attack. IBM 2025: average $990K savings per breach when law enforcement is engaged early.
Run security awareness training on hybrid work credential risks. Cover cloud app phishing, browser credential exposure on personal devices, and MFA prompt bombing attacks.
Implement network segmentation between on-premises systems and cloud resources to limit blast radius when initial access is achieved.
Frequently Asked Questions
How does hybrid work increase enterprise ransomware risk?
Three structural changes. Remote work put corporate credentials on personal devices outside EDR. Infostealer malware harvests them and ransomware affiliates buy that access. Cloud adoption created east-west traffic between workloads that most security tools can’t see, giving attackers undetected lateral movement space. Hybrid identity, meaning on-premises AD syncing to cloud identity platforms like Entra ID, introduced high-privilege sync accounts that are rarely hardened. Verizon DBIR 2025: ransomware appeared in 44% of all confirmed breaches, up from 32% the prior year. That 12-point jump reflects those structural changes, not smarter malware.
What is the most common ransomware entry point in 2025?
Stolen credentials: 22% of breaches per Verizon DBIR 2025. Exploited VPN vulnerabilities are second at 20% and growing 34% year over year. Akira ransomware specifically hunts unpatched VPN products. By late September 2025, Akira had claimed approximately $244M in proceeds through that pattern alone.
Why do ransomware attacks on cloud environments cost more to recover from?
Slower detection. IBM Cost of a Data Breach 2025: multi-environment breaches cost $5.05M on average and took 276 days to contain. On-premises-only averaged $4.01M and 217 days. The extra time gives attackers room to exfiltrate data, destroy backups, and establish persistence, all of which drive recovery costs up sharply.
How do ransomware groups move laterally from on-premises to cloud?
Through AD Connect synchronization accounts. Storm-0501, documented by Microsoft Threat Intelligence in August 2025, compromised one of these accounts and used it to authenticate into Entra ID as Global Administrator. No malware required. Just a valid sync credential with high privilege and no MFA enforced. IBM X-Force confirmed this crossing pattern across multiple 2025 IR engagements.
What is the best ransomware protection for hybrid enterprise environments?
Phishing-resistant MFA on all admin accounts with no exceptions. East-west network visibility inside cloud environments. Perimeter tools do not cover it. Active Directory-specific threat detection covering sync account activity. Immutable backups isolated from the primary cloud tenant and tested for recovery. Automated patch management on VPN appliances prioritized by exposure risk, not just CVE score.
The post How Hybrid Work and Cloud Adoption Are Changing Enterprise Ransomware Risk appeared first on Fidelis Security.
No Responses