Reports Highlight Domain Controllers as Prime Ransomware Targets

A recent report from Microsoft reinforces warnings about the critical role Active Directory (AD) domain controllers play in large-scale ransomware attacks, aligning with U.S. government advisories on the persistent threat of AD compromise.

In a blog post, Alon Rosental, Microsoft partner director of product management for endpoint security, detailed how attackers exploit domain controllers to escalate privileges and propagate ransomware, enabling widespread network disruption. The findings mirror a joint report (PDF) between National Security Agency and the Australian government released in late 2024, which called domain controller exploitation a real concern for enterprises.

"Active Directory can be misused by malicious actors to establish persistence in organizations," read the report. "Some persistence techniques allow malicious actors to log in to organizations remotely, even bypassing multi-factor authentication (MFA) controls."

Microsoft and the NSA both emphasize that domain controllers serve as a linchpin for attackers seeking to scale ransomware operations. Domain controllers are responsible for authenticating users, managing Group Policy and maintaining the AD database, making them uniquely powerful targets.

Microsoft's internal data shows that more than 78% of human-operated ransomware attacks involve domain controller breaches, with 35% of incidents using the domain controller as the primary system to distribute ransomware payloads.

The company recounted a recent incident where attackers targeted a small manufacturer with Akira ransomware. After securing domain admin credentials, they used Remote Desktop Protocol (RDP) to access the domain controller, initiating reconnaissance, policy tampering, and privilege escalation.

However, Microsoft Defender for Endpoint's automatic attack disruption detected the attack chain in real time. Per Rosental:

"To address this challenge, Defender for Endpoint introduced contain high value assets (HVA), an expansion of our contain device capability designed to automatically contain HVAs like domain controllers in a granular manner. This feature builds on Defender for Endpoint's capability to classify device roles and criticality levels to deliver a custom, role-based containment policy, meaning that if a sensitive device, such a domain controller, is compromised, it is immediately contained in less than three minutes, preventing the cyberattacker from moving laterally and deploying ransomware, while at the same time maintaining the operational functionality of the device."

The NSA recommends organizations implement Tiered Administrative Models, enforce Least Privilege principles, and conduct routine AD hygiene assessments, including auditing privileged groups and monitoring service account behaviors.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

Featured

  • Abstract AI circuit board pattern

    New Nonprofit to Work Toward Safer, Truthful AI

    Turing Award-winning AI researcher Yoshua Bengio has launched LawZero, a new nonprofit aimed at developing AI systems that prioritize safety and truthfulness over autonomy.

  • modern college building with circuit and brain motifs

    Anthropic Launches Claude for Education

    Anthropic has announced a version of its Claude AI assistant tailored for higher education institutions. Claude for Education "gives academic institutions secure, reliable AI access for their entire community," the company said, to enable colleges and universities to develop and implement AI-enabled approaches across teaching, learning, and administration.

  • chart with ascending bars and two silhouetted figures observing it, set against a light background with blue and purple tones

    Report: Enterprises Embracing Agentic AI

    According to research by SnapLogic, 50% of enterprises are already deploying AI agents, and another 32% plan to do so within the next 12 months..

  • college student working on a laptop, surrounded by icons representing campus support services

    National U Launches Student Support Hub for Non-Traditional Learners

    National University has launched a new student support hub designed to help online and working learners balance career, education, and family responsibilities as they pursue their education. Called "The Nest," the facility is positioned as a "co-learning" center that provides wraparound support services, work and study space, and access to child care.