The phrase break-in suggests forced entry, a locked door pried open, an alarm ignored. Most ransomware incidents look nothing like that. An attacker buys a set of stolen credentials from a criminal marketplace, tries them against a company’s remote access portal, and simply logs in like any other legitimate user would on a Monday morning. No alarms sound, because nothing about that login looks unusual. The damage that follows happens quietly, from the inside, using access that was never supposed to exist but was never actually blocked either.
The break-in that never actually breaks anything
Ransomware groups have largely moved away from writing clever exploits to force their way into networks, because there is an easier route available. Stolen passwords, reused across multiple accounts, or harvested from an earlier, smaller breach entirely unrelated to the eventual target, get sold and traded until someone finds a use for them. Once inside, using an account that looks perfectly ordinary, the real work begins, spreading from system to system until enough of the business is encrypted that paying a ransom starts to feel like the only remaining option.
How far that spread reaches depends almost entirely on internal controls, not on how the attacker initially got in. A business with proper network segmentation, restricted admin rights, and careful monitoring can contain a single compromised login to one small corner of its systems. A thorough internal network pen testing specifically measures how far an attacker could travel from that single starting point, rather than only checking whether the front door itself was locked.

Weak internal controls turn one login into total loss
What separates a contained incident from a company-wide catastrophe usually comes down to decisions made long before any attack happened, whether administrator accounts were limited to the staff who genuinely needed them, whether one compromised machine could reach every server in the building, and whether unusual login patterns would actually be noticed by anyone watching. None of these controls require exotic technology. Most of them are basic housekeeping that gets deprioritised because nothing has gone wrong yet, right up until the moment something finally does.
William Fieldhouse has walked into the aftermath of exactly this scenario more than once.
“A client’s ransomware incident began with a password reused from a personal account breached years earlier, and because every server on their network trusted every other server by default, the encryption spread from one laptop to their entire estate within four hours.”
— William Fieldhouse, Director of Aardwolf Security Ltd
Four hours is not very long to lose an entire business’s operational systems, and yet that is precisely how quickly a flat, trusting network allows an incident to escalate once a single credential is compromised. The password itself was almost incidental to the outcome. It was the absence of any internal boundary that turned one bad password into a total loss, and that absence had been sitting there, unaddressed, for years before anyone had reason to test it properly.
Making the inside of your network as hard to move through as the outside
Ransomware rarely announces itself with a dramatic break-in, because the far easier route is simply logging in with credentials that should never have worked in the first place. Regular vulnerability scan services, covering both the entry points and how far an attacker could travel once inside, is what actually determines whether an incident stays small or becomes a company-defining event. That distinction is worth investing in before the login attempt happens, not afterwards.
