Reports Highlight Domain Controllers as Prime Ransomware Targets

A recent report from Microsoft reinforces warnings about the critical role Active Directory (AD) domain controllers play in large-scale ransomware attacks, aligning with U.S. government advisories on the persistent threat of AD compromise.

In a blog post, Alon Rosental, Microsoft partner director of product management for endpoint security, detailed how attackers exploit domain controllers to escalate privileges and propagate ransomware, enabling widespread network disruption. The findings mirror a joint report (PDF) between National Security Agency and the Australian government released in late 2024, which called domain controller exploitation a real concern for enterprises.

"Active Directory can be misused by malicious actors to establish persistence in organizations," read the report. "Some persistence techniques allow malicious actors to log in to organizations remotely, even bypassing multi-factor authentication (MFA) controls."

Microsoft and the NSA both emphasize that domain controllers serve as a linchpin for attackers seeking to scale ransomware operations. Domain controllers are responsible for authenticating users, managing Group Policy and maintaining the AD database, making them uniquely powerful targets.

Microsoft's internal data shows that more than 78% of human-operated ransomware attacks involve domain controller breaches, with 35% of incidents using the domain controller as the primary system to distribute ransomware payloads.

The company recounted a recent incident where attackers targeted a small manufacturer with Akira ransomware. After securing domain admin credentials, they used Remote Desktop Protocol (RDP) to access the domain controller, initiating reconnaissance, policy tampering, and privilege escalation.

However, Microsoft Defender for Endpoint's automatic attack disruption detected the attack chain in real time. Per Rosental:

"To address this challenge, Defender for Endpoint introduced contain high value assets (HVA), an expansion of our contain device capability designed to automatically contain HVAs like domain controllers in a granular manner. This feature builds on Defender for Endpoint's capability to classify device roles and criticality levels to deliver a custom, role-based containment policy, meaning that if a sensitive device, such a domain controller, is compromised, it is immediately contained in less than three minutes, preventing the cyberattacker from moving laterally and deploying ransomware, while at the same time maintaining the operational functionality of the device."

The NSA recommends organizations implement Tiered Administrative Models, enforce Least Privilege principles, and conduct routine AD hygiene assessments, including auditing privileged groups and monitoring service account behaviors.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

Featured

  • student reading a book with a brain, a protective hand, a computer monitor showing education icons, gears, and leaves

    4 Steps to Responsible AI Implementation

    Researchers at the University of Kansas Center for Innovation, Design & Digital Learning (CIDDL) have published a new framework for the responsible implementation of artificial intelligence at all levels of education.

  • server racks, a human head with a microchip, data pipes, cloud storage, and analytical symbols

    OpenAI, Oracle Expand AI Infrastructure Partnership

    OpenAI and Oracle have announced they will develop an additional 4.5 gigawatts of data center capacity, expanding their artificial intelligence infrastructure partnership as part of the Stargate Project, a joint venture among OpenAI, Oracle, and Japan's SoftBank Group that aims to deploy 10 gigawatts of computing capacity over four years.

  • mathematical formulas

    McGraw Hill Intros AI-Powered ALEKS for Calculus

    McGraw Hill has expanded its lineup of ALEKS digital learning products with ALEKS for Calculus, bringing AI-powered personalized learning support to the calculus classroom.

  • glowing digital brain above a chessboard with data charts and flowcharts

    Why AI Strategy Matters (and Why Not Having One Is Risky)

    If your institution hasn't started developing an AI strategy, you are likely putting yourself and your stakeholders at risk, particularly when it comes to ethical use, responsible pedagogical and data practices, and innovative exploration.