The cybersecurity landscape is shifting, and not in defenders’ favor. A widening gap between the sophistication of ransomware attacks and the preparedness of organizations to counter them is creating a perilous situation. Ivanti’s 2026 State of Cybersecurity Report reveals a concerning trend: the preparedness gap has increased by an average of 10 percentage points year-over-year across all tracked threat categories. Ransomware, in particular, presents a stark challenge, with 63% of security professionals deeming it a high or critical threat, yet only 30% feeling adequately prepared – a 33-point disparity, up from 29 points the previous year.
The scale of the problem extends beyond perceived preparedness. CyberArk’s 2025 Identity Security Landscape highlights a critical, often overlooked component: the proliferation of machine identities. Organizations now manage 82 machine identities for every human user, with 42% of these possessing privileged or sensitive access. This exponential growth in non-human accounts introduces a significant attack surface that traditional security measures often fail to address.
The Blind Spot in Ransomware Playbooks
Despite the recognized urgency, the most widely adopted ransomware preparation guidance – Gartner’s April 2024 research note, “How to Prepare for Ransomware Attacks,” and its accompanying Ransomware Playbook Toolkit – contains a critical oversight. While the guidance meticulously details the need to reset “impacted user/host credentials” during containment, it conspicuously omits any mention of service accounts, API keys, tokens, or certificates. This focus on human and device credentials creates a dangerous blind spot, leaving organizations vulnerable to lateral movement and re-infection.
Gartner’s own research acknowledges the importance of robust Identity and Access Management (IAM) practices, warning that poor IAM is a primary entry point for ransomware attacks. Compromised credentials, often obtained from initial access brokers and dark web data dumps, are routinely exploited to gain access. The guidance explicitly states that updating or removing compromised credentials is essential to prevent attackers from regaining entry. However, the playbook’s containment procedures fail to address the critical issue of machine identities, which are, fundamentally, credentials within an IAM framework.
The urgency of the situation is underscored by Gartner’s assessment that ransomware is “unlike any other security incident,” operating on a “countdown timer.” Recovery costs can easily exceed the ransom amount tenfold, and over half of all ransomware engagements result in deployment within 24 hours of initial access. Yet, the current containment procedures don’t reflect this speed, particularly when the fastest-growing class of credentials – machine identities – remains unaddressed.
A Deepening Cybersecurity Readiness Deficit
Ivanti’s report demonstrates that the preparedness gap isn’t isolated to ransomware. Across all major threat categories – including phishing, software vulnerabilities, API vulnerabilities, supply chain attacks, and encryption weaknesses – the gap has widened year-over-year.
“Although defenders are optimistic about the promise of AI in cybersecurity, Ivanti’s findings also show companies are falling further behind in terms of how well prepared they are to defend against a variety of threats,” explains Daniel Spicer, Ivanti’s Chief Security Officer. “This is what I call the ‘Cybersecurity Readiness Deficit,’ a persistent imbalance between an organization’s ability to defend its data, people, and networks and the evolving threat landscape.”
CrowdStrike’s 2025 State of Ransomware Survey illustrates this deficit across different industries. Even among manufacturers who considered themselves “very well prepared,” only 12% recovered within 24 hours, with 40% experiencing significant operational disruption. The public sector fared even worse, with a 12% recovery rate despite 60% confidence. Alarmingly, only 38% of organizations that suffered a ransomware attack addressed the root cause of the breach, opting instead for general security improvements that fail to close the initial entry point.
The willingness to pay ransoms – reported by 54% of organizations in the 2026 report, despite FBI discouragement – underscores a fundamental lack of effective containment alternatives. Robust machine identity procedures could provide those alternatives.
Where Current Playbooks Fall Short
Five core containment steps define most ransomware response procedures today. Machine identities are absent from every single one.
Credential Resets: A Human-Centric Approach
While resetting employee passwords is standard practice, it does nothing to prevent lateral movement through compromised service accounts. Gartner’s own playbook template clearly demonstrates this limitation, focusing exclusively on Active Directory-managed user and device accounts, with zero provisions for non-human credentials like service accounts, API keys, or certificates.
The Inventory Gap: You Can’t Protect What You Don’t Know
Effective credential resets require knowing which credentials exist. Discovering service accounts, API keys, and tokens during an active breach can cost valuable time – days, in some cases. Only 51% of organizations even maintain a cybersecurity exposure score, meaning nearly half couldn’t assess their machine identity exposure if asked.
Network Isolation: A False Sense of Security
Isolating a compromised machine from the network doesn’t revoke the API keys it may have issued to downstream systems. Containment strategies that rely solely on network perimeter security assume a bounded trust model, which machine identities inherently violate. They authenticate *across* network boundaries.
Detection Logic: Blind to Machine Behavior
Anomalous machine identity behavior doesn’t trigger the same alerts as compromised user accounts. Unusual API call volumes, tokens used outside of authorized windows, and service accounts authenticating from unexpected locations require specialized detection rules that most Security Operations Centers (SOCs) haven’t yet implemented.
Stale Accounts: The Easiest Target
Service accounts that haven’t been rotated in years, particularly those created by former employees, represent a significant vulnerability.
While Gartner recommends strong authentication for privileged users, including service accounts, this guidance is typically found in preventative measures, not within the critical containment procedures needed during an active incident.
The Urgency Amplified by AI
The rise of agentic AI will exacerbate this problem. According to Ivanti, 87% of security professionals prioritize integrating agentic AI, and 77% are comfortable allowing autonomous AI to act without human oversight. However, only 55% have implemented formal guardrails. Each autonomous agent creates new machine identities, further expanding the attack surface. Organizations unprepared to govern existing machine identities will face an exponentially more complex challenge.
Gartner estimates total ransomware recovery costs at ten times the ransom amount. CrowdStrike reports an average downtime cost of $1.7 million per incident, rising to $2.5 million for public sector organizations. Paying the ransom doesn’t guarantee data recovery – 93% of organizations that paid still had data stolen, and 83% were subsequently attacked again. Furthermore, nearly 40% couldn’t fully restore data from backups. The ransomware economy has matured to the point where attackers can encrypt files remotely over SMB network shares, bypassing managed endpoints altogether.
Security leaders who proactively integrate machine identity inventory, detection rules, and containment procedures into their playbooks will not only address today’s vulnerabilities but also position themselves to govern the autonomous identities of tomorrow.
What steps is your organization taking to discover and manage its machine identities? And how confident are you that your current incident response plan adequately addresses the risks posed by compromised non-human accounts?
Frequently Asked Questions
What are machine identities and why are they a ransomware risk?
Machine identities are digital identities used by applications, services, and devices to authenticate and communicate with each other. They are a growing ransomware risk because they often lack the same level of security and monitoring as human user accounts.
How does Gartner’s ransomware playbook fall short in addressing machine identities?
Gartner’s widely used playbook focuses primarily on resetting human and device credentials, neglecting service accounts, API keys, and other machine identities, creating a significant blind spot for attackers.
What is a Cybersecurity Readiness Deficit?
The Cybersecurity Readiness Deficit, as defined by Ivanti, is the widening gap between an organization’s ability to defend against evolving cyber threats and the actual sophistication of those threats.
Why are stale service accounts such an easy target for ransomware attacks?
Stale service accounts, often created by former employees and lacking regular rotation, represent a significant vulnerability as they are easily exploited by attackers seeking persistent access.
How will agentic AI impact the risk associated with machine identities?
Agentic AI will create a surge in new machine identities, requiring organizations to expand their governance and security measures to manage this increased complexity and prevent exploitation.
What is the average cost of a ransomware attack, including recovery?
Gartner estimates total ransomware recovery costs can be ten times the ransom amount, while CrowdStrike reports an average downtime cost of $1.7 million per incident.
Disclaimer: This article provides general information about cybersecurity threats and is not intended as professional advice. Consult with a qualified cybersecurity expert for specific guidance tailored to your organization’s needs.
Share this critical insight with your network and join the conversation in the comments below. Let’s work together to strengthen our collective defense against the evolving ransomware threat.
Discover more from Archyworldys
Subscribe to get the latest posts sent to your email.
