Pass the Hash Attacks: What They Are and How to Stop Them

Data exfiltration and ransomware continue to dominate the cyberthreat landscape in 2025, with attackers refining their methods and expanding the range of techniques they use to compromise networks. Today’s ransomware gangs are often highly organized and employ multiple tools in combination to breach defenses and maximize damage.

One of these tools is the Pass the Hash (PtH) attack, a credential theft technique that can give intruders rapid access to critical systems. Once inside, it can pave the way for ransomware deployment across entire networks. Despite being a well-documented tactic, many organizations remain dangerously exposed to this method of attack. Any anti ransomware efforts must be aware of this and take steps to counter it.

A PtH attack is a credential theft technique that allows cybercriminals to log into systems without ever knowing an actual password. Instead of capturing a password in plain text, the attacker steals its hashed version, which is an encrypted representation stored on a compromised machine. They can then use this to create a new user session on the same network without the need to crack the password to gain access to the system.

This works because some authentication protocols, notably the New Technology LAN Manager (NTLM) protocol in Windows, will accept the hash itself as proof of identity. The vulnerability comes from the way many systems handle authentication, particularly when passwords or their hashes are cached in memory or stored in the Security Account Manager (SAM) database.

If attackers can access these hashes, they can effectively impersonate the user. To achieve this, a typical PtH attack follows these steps:

1. Gain initial access to a system, often through phishing, exploiting vulnerabilities or stolen credentials.
2. Extract stored password hashes from memory or the SAM database.
3. Use the stolen hash to log in to other systems without needing the actual password.
4. Move laterally through the network to find higher privilege accounts or critical servers.
5. Access sensitive data for exfiltration and prepare systems for ransomware deployment.

By enabling rapid privilege escalation and lateral movement, PtH attacks give ransomware operators the access they need to encrypt and exfiltrate data across entire organizations, increasing their leverage in extortion attempts.

Windows systems that use NTLM authentication are the most susceptible to Pass the Hash attacks. This is especially true in older or unpatched environments where security controls are weaker. NTLM’s design allows hashed credentials to be used for authentication, which attackers can exploit once they have access to a system.

Other common weaknesses that increase risk include:

• Reusing administrative credentials across multiple devices
• Poor network segmentation
• Exposed Remote Desktop Protocol without proper restrictions

While PtH attacks are often associated with on-premises networks, they can also compromise cloud environments. In hybrid setups, attackers can leverage stolen hashes from on-premises systems to access connected cloud services, potentially exposing a much wider range of critical assets.

Some 95 percent of ransomware attacks today seek to exfiltrate data, and Pass the Hash is often used as a precursor to double extortion ransomware. Once attackers gain a foothold, the technique allows them to escalate privileges quickly and move laterally through the network. This access enables them to reach sensitive data such as financial records, intellectual property or customer information.

The stolen data can then be exfiltrated and used as leverage, with attackers threatening to publish it if the ransom is not paid. From there, they can deploy ransomware to encrypt systems, doubling the pressure on victims.

Being able to spot suspicious authentication attempts early is a critical part of ransomware detection. Identifying and stopping PtH activity before it spreads can significantly reduce the risk and impact of a full-scale ransomware incident.

PtH attacks exploit weaknesses in authentication and access controls, making prevention a matter of both technology and policy. Because these attacks often occur after an initial breach, traditional antimalware tools may not spot them. Therefore, effective defenses must focus on limiting the attacker’s ability to capture and use credential hashes, as well as restricting their movement within the network. Implementing layered security measures can significantly reduce the risk and limit potential damage.

Key best practices for this include the following:

• Adopt strong access management policies: Limit administrative privileges to only those who require them and ensure accounts are used solely for their intended purpose. It’s especially important to monitor privileged account activity closely to detect unusual patterns.
• Apply Zero Trust principles: Treat every access request as untrusted by default, verifying identity, device and context before granting access. Continuous authentication should also be used for access to sensitive systems.
• Implement strong password management: Enforce unique, complex passwords for all accounts, especially administrative ones. Avoid reusing local administrator credentials across multiple devices and use password managers to reduce human error.
• Segment the network to limit lateral movement: Divide systems into separate security zones and restrict communication between them. This prevents an attacker from using compromised credentials to move freely across the network.
• Disable or restrict NTLM authentication: Where possible, migrate to more secure protocols such as Kerberos. If NTLM is required, restrict its use to only essential systems and monitor its activity.
• Deploy advanced endpoint detection and monitoring tools: Use security solutions capable of detecting abnormal authentication attempts and blocking unauthorized use of credential hashes in real-time, as well as tools that can detect and block any data exfiltration attempts should all else fail.

Credential-based attacks like Pass the Hash can give cybercriminals rapid access to sensitive systems and data, enabling them to escalate privileges, exfiltrate information and deploy ransomware across entire networks. The risk is amplified by the speed and stealth with which these techniques operate.

Protecting against them requires a layered security approach that focuses on prevention while also safeguarding compromised systems. Technologies such as anti data exfiltration (ADX) can block attackers from stealing data, limiting their leverage in extortion attempts. Preventing data exfiltration is always more effective – and less costly – than attempting to contain and recover from a full breach, so it’s vital that firms have the right solutions in place.