# Measuring Ransomware Lateral Movement Susceptibility via Privilege-Weighted Adjacency Matrix Exponentiation

**Authors:** Satyam Tyagi, Ganesh Murugesan

arXiv: 2508.21005 · 2025-11-10

## TL;DR

This paper introduces a graph-theoretic probabilistic model to quantify ransomware lateral movement susceptibility and blast radius, aiding in security assessment and control prioritization.

## Contribution

It presents a novel probabilistic path-closure framework using a privilege-weighted adjacency matrix to measure lateral movement risk in networks.

## Key findings

- Higher pivot potential ports increase susceptibility and blast radius.
- Pruning edges with high pivot potential reduces lateral movement risk.
- Model aligns with existing security guidelines and standards.

## Abstract

Ransomware impact hinges on how easily an intruder can move laterally and spread to the maximum number of assets. We present a graph-theoretic formulation that casts lateral movement as a path-closure problem over a probability semiring to measure lateral-movement susceptibility and estimate blast radius. We build a directed multigraph where vertices represent assets and edges represent reachable services (e.g., RDP/SSH) between them. We model lateral movement as a probabilistic process using a pivot potential factor $\pi(s)$ for each service, with step successes composed via a probabilistic path operator \( \otimes \) and alternative paths aggregated via a probabilistic union \( \oplus \) (noisy-OR). This yields a monotone fixed-point (iterative) computation of a $K$-hop compromise probability matrix that captures how compromise propagates through the network. Metrics derived from this model include: (1) Lateral-Movement Susceptibility (LMS$_K$): the average probability of a successful lateral movement between any two assets (0-1 scale); and (2) Blast-Radius Estimate (BRE$_K$): the expected percentage of assets compromised in an average attack scenario. Interactive services (SSH 22, RDP 3389) receive higher $\pi(s)$ than app-only ports (MySQL 3306, MSSQL 1433), which seldom enable pivoting without an RCE. Across anonymized enterprise snapshots, pruning high-$\pi(s)$ edges yields the largest LMS$_K$/BRE$_K$ drop, aligning with CISA guidance, MITRE ATT\&CK (TA0008: Lateral Movement), and NIST SP~800-207. The framework evaluates (micro)segmentation and helps prioritize controls that reduce lateral-movement susceptibility and shrink blast radius.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/2508.21005/full.md

## Figures

42 figures with captions in the complete paper: https://tomesphere.com/paper/2508.21005/full.md

## References

30 references — full list in the complete paper: https://tomesphere.com/paper/2508.21005/full.md

---
Source: https://tomesphere.com/paper/2508.21005