Ransomware conversations often focus on detection tools, endpoint security, prevention training, or incident response plans. Those are all important things to discuss, but those conversations rarely get into the weeds to determine how disruptive an attack ultimately becomes.
Think about it: once inside an environment, attackers typically attempt to escalate privileges, move laterally across systems, and compromise backup infrastructure. If any one of those steps is successful, a relatively small breach can quickly expand into a widespread operational outage.
Which brings us to the point of this article: infrastructure architecture plays a major role in your company’s outcome in the event of a ransomware attack.
Now, here’s more on what you need to do to evaluate your infrastructure architecture, and the decisions you can make as you establish or rework it to reduce ransomware risk and accelerate recovery if an incident does happen.
In 2025, 44% of cybersecurity breaches involved ransomware, up 37% from the previous year. The median amount paid by organizations was $115,000, but the good news is that 64% of companies that suffered a ransomware attack resolved it without paying a ransom.
The key to minimizing the impact of a cybersecurity event is ensuring your internal systems can prevent lateral movement.
This is where those deploying the attack have gained access through compromised credentials, phishing campaigns, or vulnerabilities in internet-facing systems. From there, they attempt to expand their access across the environment by escalating privileges and moving between systems.
This lateral movement is often what determines the extent of the damage.
In environments with outdated IT infrastructure or flat networks, attackers may pivot quickly between servers, storage systems, and virtualization platforms. Once attackers gain administrative access to core infrastructure systems, they can target management platforms, recovery systems, and backup repositories. At that point, ransomware can be deployed across a much larger portion of the environment.
That’s why modern architectures are designed to limit trust relationships between systems, reducing attackers' ability to escalate privileges or move laterally across the infrastructure. Let’s look at the three areas where you can limit lateral movement.
Let’s start with identity infrastructure: 22% of breaches began with credential abuse, and 16% began with phishing. And when those attacks succeed, the attacker typically begins looking for ways to expand their privileges.
This is where your company’s identity architecture plays one of the most critical roles in determining the impact of a cybersecurity event.
In modern enterprise environments, identity systems determine who can access critical tools within your organization. If attackers obtain privileged credentials, they can often operate across large portions of the environment, executing commands on multiple systems and deploying ransomware at scale.
That’s why guidance from agencies like CISA consistently emphasizes controlling administrative privileges. In environments built on legacy IT infrastructure where administrative credentials are reused across systems, attackers may be able to chain privileges together and move rapidly through the environment.
Modern identity architectures are designed to break those chains. Companies that utilize tiered administrative models, privilege separation, and identity segmentation limit where administrative credentials can be used and reduce the likelihood that compromise of one system exposes the entire infrastructure.
Even when attackers successfully escalate privileges, infrastructure design decisions still determine how far they can move. Network segmentation security becomes one of the most important controls in limiting ransomware impact.
Once inside a network, attackers often rely on legitimate administrative protocols and remote management tools to move between systems and identify higher-value targets.
In environments with flat networks or outdated IT infrastructure, that movement can happen quickly. Servers, virtualization hosts, storage systems, and management platforms may all be reachable from the same network segments, allowing attackers to pivot across the infrastructure with minimal resistance.
By limiting how systems communicate with one another, your organization can prevent attackers from moving easily between infrastructure layers. Modern segmentation strategies are designed to break those connections. Organizations implementing stronger network segmentation security isolate management networks, separate user and server environments, and restrict access to critical infrastructure systems.
The challenge of segmenting your systems is that they can become harder to manage as your environment grows more complex. Rather than creating a secure system that also adds operational headaches, find tools that support this segmentation and centralized management. Tools like Aruba CX provide centralized visibility across networks while also enforcing segmentation and access policies.
Even in well-segmented environments, ransomware incidents can still occur. And the timeline for these attacks continues to shrink. In many incidents, attackers begin deploying ransomware within hours of gaining initial access, leaving your team little time to respond to the initial breach, even if you catch it early.
So the next question becomes critical: can you recover your systems quickly and reliably?
Attackers increasingly attempt to compromise backup repositories as part of their attacks. If backup systems are deleted, encrypted, or otherwise made unavailable, recovery becomes far more difficult.
Make sure your backup systems are not tightly integrated with production networks and administrative credentials. When attackers gain elevated access, they may be able to delete recovery points or disable backup processes before launching ransomware.
To strengthen ransomware recovery strategies, use measures such as backup immutability, isolated recovery environments, and restricted administrative access to backup infrastructure. Immutable backups ensure that recovery points cannot be modified or deleted for a defined period, even if attackers gain administrative credentials.
For your team, whether you’re building from the ground up or redesigning systems, the platforms you choose can significantly influence your overall ransomware resilience.
For example, HPE ProLiant Gen11 and HPE ProLiant Gen12 servers incorporate hardware-based protections designed to safeguard server firmware and system integrity.
While these platforms (and others we mentioned in this article) are not designed solely for ransomware defense, they provide architectural capabilities that support containment and recovery during security incidents.
At VLCM, engineers work with organizations to evaluate how infrastructure architecture influences cybersecurity resilience. Through services such as the VLCM Cybersecurity Assessment, organizations can assess identity infrastructure, segmentation strategies, and backup design to better understand how their environment would perform in the event of a ransomware incident.
Let us help you design infrastructure with resilience in mind to help ensure that a single breach does not become a full-scale operational crisis. Get in touch today.