During a Ransomware Attack: How IGA Enables Rapid Containment

In February 2024, attackers used stolen credentials to access Change Healthcare’s network through a Citrix remote portal with no multi-factor authentication. Once inside, the attackers moved laterally for nine days, exfiltrating data before deploying ransomware.

UnitedHealth CEO Andrew Witty (Change Healthcare’s parent company) later testified to Congress that the company “severed connectivity to quarantine the environment” because they could not determine the full scope of compromise. The decision to disconnect and rebuild can be the right call. But it is also a sign of the core challenge: without fast, reliable identity visibility, containment defaults to total shutdown. For Change Healthcare, that meant over 100 million individuals affected, healthcare claims processing disrupted for months, and over $1.5 billion in cost.

Change Healthcare’s experience illustrates a core truth: during an active ransomware attack, identity is the fastest containment lever you can pull. The question is whether you have the visibility to pull it surgically, or whether uncertainty forces you to shut everything down.

The Containment Dilemma

Before ransomware ever deploys, attackers spend days or weeks escalating privileges, moving laterally, exfiltrating data, and mapping out their blast radius. Modern ransomware succeeds because much of this movement happens through valid accounts and normal-looking access patterns. Containment decisions become indiscriminate when organizations cannot answer a simple question: what can this compromised identity actually reach?

Colonial Pipeline faced this dilemma in May 2021. Attackers accessed the network through a compromised VPN password for an inactive account that lacked MFA. The password had been exposed in an unrelated breach. CEO Joseph Blount later testified that “it was not clear how widespread the intrusion was or how long it would take to restore compromised systems.” Colonial shut down the pipeline as a precaution. The shutdown lasted six days and triggered fuel shortages across the East Coast. The operational technology systems that run the pipeline were never compromised. Colonial shut down because it could not verify which identities were affected and what they could reach.

This dilemma intensifies when the compromised identity comes through a third party. These accounts often exist outside your primary governance framework, limiting visibility into what they can reach. And containment requires more than isolating the compromised account. You need to find every identity tied to that vendor relationship. A single vendor may have multiple provisioned user accounts, service accounts, and integration credentials across your environment. If one is compromised, any of the others could serve as a lateral movement path. Disabling a single account does not close the door if attackers have already pivoted to another identity provisioned through that same relationship, all while attackers continue moving.

Marks & Spencer (M&S) faced this in April 2025. Attackers called the third-party IT service desk, impersonated an employee, and obtained a password reset. That single interaction gave them access to the system that controls user credentials across the organization. By the time the full blast radius became visible, the damage was already catastrophic: 46 days without online ordering, approximately £300 million in lost profit, and over £1 billion wiped from market value.

Knowing the blast radius is step one. Acting on it is step two. Both depend on answering five questions fast.

The Five Questions That Determine Containment Speed

In the first hours of ransomware response, every containment decision hinges on five questions.

Who is this identity?

Teams must classify the identity (employee, contractor, vendor, service account, AI agent, or privileged admin) and determine whether the account is active, who owns it, and whether the account should still exist, since orphaned or mid-transition accounts are among the first identities attackers exploit. Without an authoritative source for identity data, teams spend hours chasing down ownership manually while attackers continue moving.

What can this identity reach right now?

Not what it should have according to policy, but what it actually has across directories, SaaS applications, cloud platforms, and databases. Access accumulates. Permissions scatter across systems. The only way to know actual exposure is to have entitlements aggregated from across the environment. At M&S, attackers who obtained a single set of credentials were able to reach the system that controls user access across the organization and steal the credentials of every employee.

What privileged paths does this identity unlock?

Compromised identities may unlock admin roles, cloud tenant access, directory sync accounts, backup credentials, or non-human identities that connect systems automatically. These paths turn a foothold into full control. Attackers target them specifically because they enable lateral movement and persistence. Microsoft documented how the Storm-0501 ransomware group specifically targeted privileged synchronization accounts between on-premises and cloud environments, finding non-human identities with full administrative privileges and no MFA. Part 1 of this series explored this example in detail.

How fast can we revoke access everywhere?

Revocation must reach every connected system simultaneously, while preserving, if possible, the access that keeps critical operations running. Revocation that misses a single connected system leaves a door open. Revocation that is too broad halts operations unnecessarily. Colonial Pipeline shut down for six days because they could not surgically isolate compromised access. Change Healthcare severed connectivity entirely because partial containment was not possible with the visibility they had.

Which identities do we contain first?

In the first hour of response, security teams cannot review every identity. They need a triage queue that surfaces the accounts most likely to cause catastrophic damage. This requires real-time identity risk scoring that combines privilege level (tenant admin, backup admin, directory sync accounts), exposure signals (no MFA, recently reset password, new MFA method added), business criticality (executives, finance, IT admins), and abnormal changes (new group membership, role escalation, mass permission grants). The output is a prioritized list that transforms incident response from “investigate everything” to “neutralize the highest-risk identities immediately, then work outward.”

IGA exists to answer these questions, aggregating identity and entitlement relationships across the enterprise so security teams have verified data in the moment that matters most. They move from “we think this account is bad” to “we know what it can do and we can shut it down everywhere.”

Governed Response Instead of Ad-Hoc Chaos

Answering those five questions gives security teams the visibility to make informed containment decisions. But visibility without the ability to act on it still leaves organizations exposed. During an attack, security teams also need the ability to suspend access broadly, consistently, and with full traceability.

Most successful ransomware investigations start with an alert from an XDR, EDR, or SIEM solution. When those systems connect to IGA, responders can immediately enrich the alert with identity context: who the account is, what type of identity, what it can reach. From there, they can trigger a governed containment workflow. Instead of making ad-hoc changes across multiple admin consoles, the team suspends the identity, removes high-risk entitlements across connected systems, and captures an audit trail that makes containment faster and reversible.

While XDR and SIEM solutions detect endpoint and network threats, Identity Threat Detection and Response (ITDR) adds a critical layer of identity-specific detection, focusing on identity-native attack patterns: authentication anomalies, MFA manipulation, privilege escalation, credential theft techniques. ITDR detects when an identity is compromised or misused. IGA makes that detection actionable by providing entitlement context and the governed workflows that execute revocation across every connected system.

IGA enables rapid containment by mapping the full entitlement set for a suspected identity across hybrid environments, surfacing toxic privilege combinations and identifying other identities with equivalent access who are likely the next targets. When the Scattered Spider threat group compromised one M&S employee’s credentials, a governed environment would have immediately surfaced every other identity with similar access patterns, enabling preemptive lockdown before attackers could pivot.

Consider how governed containment would have changed the M&S response. Within minutes of identifying the compromised credentials, the security team suspends the identity and that state flows automatically to directories, cloud platforms, and SaaS applications. High-risk entitlements are revoked across connected systems. Every third-party account provisioned through the same vendor relationship is disabled or time-bound. Emergency approval requirements activate for new access requests, cutting off the backup persistence paths attackers create while incident response is focused elsewhere.

Because privilege escalation is how ransomware becomes catastrophic, privileged access containment is critical. IGA enables rapid enumeration of all privileged identities, including non-human identities, and supports emergency revalidation or removal of standing privileges not essential for recovery. You are not trying to perfect the environment mid-incident. You are trying to contain the attacker by removing the access paths attackers use to spread.

This transforms containment from ad-hoc chaos into a governed response. Security teams act with speed and confidence because they know what they are doing, why, and how to reverse it when the incident is resolved.

What Comes After Containment

Ransomware response is no longer just about endpoints and backups. It is about identities, because identities are how attackers move, escalate, and hide.

IGA gives incident responders what they need most in the first hours: speed, accuracy, and controlled action. Instead of shutting down the business because you cannot see the blast radius, you can contain the incident with deliberate identity lockdown and move into recovery with a full record of what changed and why.

But containment is only part of the response. Recovery and hardening is where most organizations fail, because emergency access becomes permanent and the conditions that enabled the attack remain unaddressed. Part 3 will examine how identity governance enables clean recovery, forensics, and post-incident hardening that prevents the next attack from following the same path.

Ready to assess your identity attack surface? Schedule a demo to see how Omada Identity Cloud delivers the visibility and governance controls that shrink blast radius and strengthen ransomware defense.