Today, if you want to do a ransomware attack against a business, first you go on a wardrive, collect a pile of passwords, look for wifi networks of interesting businesses, and then start hacking their network from the inside. You will find plenty of information in the clear on the inside to mount a spearfishing attack, not to mention you will be able to collect a pile of hashes of passwords used on the internal network, and then find a pile of administrative passwords.
The most serious flaw shown here is the delusion that "inside" is more secure than "outside". The good old crunchy on the outside, chewy on the inside... If you are not managing your network with the assumption that the barbarians are already inside, then you are setting yourself for trouble.
Seen on cryptography mail list