Measuring Ransomware Lateral Movement Susceptibility via Privilege-Weighted Adjacency Matrix Exponentiation

Abstract

Ransomware impact hinges on how easily an intruder can move laterally and spread to the maximum number of assets. We present a graph-theoretic formulation that casts lateral movement as a path-closure problem over a probability semiring to measure lateral-movement susceptibility and estimate blast radius. We build a directed multigraph where vertices represent assets and edges represent reachable services (e.g., RDP/SSH) between them. We model lateral movement as a probabilistic process using a pivot potential factor π(s) for each service, with step successes composed via a probabilistic path operator \( \) and alternative paths aggregated via a probabilistic union \( \) (noisy-OR). This yields a monotone fixed-point (iterative) computation of a K-hop compromise probability matrix that captures how compromise propagates through the network. Metrics derived from this model include: (1) Lateral-Movement Susceptibility (LMSK): the average probability of a successful lateral movement between any two assets (0-1 scale); and (2) Blast-Radius Estimate (BREK): the expected percentage of assets compromised in an average attack scenario. Interactive services (SSH 22, RDP 3389) receive higher π(s) than app-only ports (MySQL 3306, MSSQL 1433), which seldom enable pivoting without an RCE. Across anonymized enterprise snapshots, pruning high-π(s) edges yields the largest LMSK/BREK drop, aligning with CISA guidance, MITRE ATT\&CK (TA0008: Lateral Movement), and NIST SP~800-207. The framework evaluates (micro)segmentation and helps prioritize controls that reduce lateral-movement susceptibility and shrink blast radius.