Reports Highlight Domain Controllers as Prime Ransomware Targets

A recent report from Microsoft reinforces warnings about the critical role Active Directory (AD) domain controllers play in large-scale ransomware attacks, aligning with U.S. government advisories on the persistent threat of AD compromise.

In a blog post, Alon Rosental, Microsoft partner director of product management for endpoint security, detailed how attackers exploit domain controllers to escalate privileges and propagate ransomware, enabling widespread network disruption. The findings mirror a joint report (PDF) between National Security Agency and the Australian government released in late 2024, which called domain controller exploitation a real concern for enterprises.

"Active Directory can be misused by malicious actors to establish persistence in organizations," read the report. "Some persistence techniques allow malicious actors to log in to organizations remotely, even bypassing multi-factor authentication (MFA) controls."

Microsoft and the NSA both emphasize that domain controllers serve as a linchpin for attackers seeking to scale ransomware operations. Domain controllers are responsible for authenticating users, managing Group Policy and maintaining the AD database, making them uniquely powerful targets.

Microsoft's internal data shows that more than 78% of human-operated ransomware attacks involve domain controller breaches, with 35% of incidents using the domain controller as the primary system to distribute ransomware payloads.

The company recounted a recent incident where attackers targeted a small manufacturer with Akira ransomware. After securing domain admin credentials, they used Remote Desktop Protocol (RDP) to access the domain controller, initiating reconnaissance, policy tampering, and privilege escalation.

However, Microsoft Defender for Endpoint's automatic attack disruption detected the attack chain in real time. Per Rosental:

"To address this challenge, Defender for Endpoint introduced contain high value assets (HVA), an expansion of our contain device capability designed to automatically contain HVAs like domain controllers in a granular manner. This feature builds on Defender for Endpoint's capability to classify device roles and criticality levels to deliver a custom, role-based containment policy, meaning that if a sensitive device, such a domain controller, is compromised, it is immediately contained in less than three minutes, preventing the cyberattacker from moving laterally and deploying ransomware, while at the same time maintaining the operational functionality of the device."

The NSA recommends organizations implement Tiered Administrative Models, enforce Least Privilege principles, and conduct routine AD hygiene assessments, including auditing privileged groups and monitoring service account behaviors.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

Featured

  • university building surrounded by icons for AI, checklists, and data governance

    Improving AI Governance for Stronger University Compliance and Innovation

    AI can generate valuable insights for higher education institutions and it can be used to enhance the teaching process itself. The caveat is that this can only be achieved when universities adopt a strategic and proactive set of data and process management policies for their use of AI.

  • modern college building with circuit and brain motifs

    Anthropic Launches Claude for Education

    Anthropic has announced a version of its Claude AI assistant tailored for higher education institutions. Claude for Education "gives academic institutions secure, reliable AI access for their entire community," the company said, to enable colleges and universities to develop and implement AI-enabled approaches across teaching, learning, and administration.

  • futuristic AI interface with glowing data streams and abstract neural network patterns

    OpenAI Launches Its Largest AI Model Yet in Research Preview

    OpenAI has announced the launch of GPT-4.5, its largest AI model to date, code-named Orion. The model, trained with more computing power and data than any previous OpenAI release, is available as a research preview to select users.

  • Microsoft

    Microsoft Introduces Its First Quantum Computing Chip

    Microsoft has unveiled Majorana 1, its first quantum computing chip, aimed at deployment in datacenters.