By NHI Mgmt Group Editorial TeamPublished 2025-10-23Domain: Governance & RiskSource: IS Decisions

TL;DR: Healthcare ransomware attacks spiked 30% in 2025, and the article argues that Active Directory remains a prime target because compromising a domain controller can enable lateral movement, privilege escalation, and disruptive encryption, according to IS Decisions. The deeper issue is that AD’s monitoring gaps and weak contextual controls leave security teams seeing compromise only after the attacker has already expanded.


At a glance

What this is: The article argues that Active Directory’s visibility and control gaps make it a high-value ransomware target, especially in healthcare.

Why it matters: It matters because AD compromise can collapse both identity access and clinical operations, forcing IAM, PAM, and NHI teams to treat directory protection as core resilience work.

By the numbers:

👉 Read IS Decisions' analysis of Active Directory defence against ransomware


Context

Active Directory is the control plane for many enterprise identities, so when attackers reach it they are no longer just inside the network, they are inside the mechanisms that decide who can do what. In healthcare, that matters twice over because identity access is directly tied to records, systems, and care continuity. The article’s core argument is that directory visibility and control gaps create a ransomware advantage.

The source frames this as a layered defence problem, not a single-tool problem. Weak perimeter controls, limited account monitoring, and poor contextual restrictions combine to make privileged access easier to abuse and harder to detect. That is a typical enterprise failure pattern, and healthcare simply makes the operational impact more visible and more severe.


Key questions

Q: What breaks when Active Directory is not closely monitored during a ransomware attack?

A: When Active Directory is not closely monitored, attackers can enumerate accounts, identify privilege paths, and move laterally long before defenders realise the directory has been compromised. That delay is what turns a local intrusion into a broad outage. The main failure is not just access, but the loss of visibility needed to contain identity abuse early.

Q: Why does Active Directory compromise increase ransomware blast radius so quickly?

A: Active Directory increases blast radius because it centralises identity, group membership, and trust relationships. Once an attacker reaches a domain controller or privileged account, they can use directory knowledge to find more access, more systems, and more ways to disrupt operations. In healthcare, that can translate directly into lost access to care systems.

Q: How should security teams reduce lateral movement through Active Directory?

A: Security teams should combine MFA, contextual access restrictions, and account-level monitoring on every path into AD, especially remote access and privileged administration. The goal is to make stolen credentials less reusable and suspicious sessions easier to block before they spread. Controls need to work at the connection level, not only at the login screen.

Q: Who is accountable when Active Directory security failures disrupt healthcare operations?

A: Accountability should sit with both identity governance and infrastructure security leadership, because AD is a shared control plane rather than a single-team asset. Healthcare organisations also need continuity owners involved, since directory outages affect patient-facing services and not only technical access. That makes AD resilience a cross-functional obligation.


Technical breakdown

Why Active Directory becomes the ransomware control point

Active Directory is not just authentication plumbing. It centralises identity, group membership, and privilege relationships, which makes it an efficient reconnaissance target once an attacker has a foothold. Even low-privilege accounts can reveal useful directory structure because AD read access is broad by design. That visibility lets ransomware operators map admin groups, service accounts, and likely escalation paths before they move to privilege capture. If a domain controller is reached, the attacker can manipulate or encrypt the identity substrate itself, turning directory compromise into organisation-wide disruption.

Practical implication: protect domain controllers as crown-jewel systems and treat directory enumeration as an early warning signal, not routine noise.

How lateral movement expands after the first login

The article describes a common sequence: initial access through phished credentials, exposed remote access, or a vulnerable public service, then reconnaissance, then privileged compromise. In AD environments, the danger is not only that an attacker gets in once, but that the directory can help them keep going. Lateral movement succeeds when the attacker can reuse access paths, harvest account details, or wait for an administrator to authenticate to a compromised system. At that point, the environment itself becomes an identity discovery engine for the attacker.

Practical implication: enforce MFA and session restrictions on every path that could be used to pivot from one user session to another.

Why monitoring gaps turn compromise into a delayed response problem

AD often lacks the native visibility needed to spot suspicious login patterns, unusual resource access, or privilege-seeking behaviour quickly. That creates a response delay that favours ransomware operators, because the longer they remain undetected the more likely they are to map the environment, elevate privileges, and prepare encryption or exfiltration. Contextual controls matter here because they reduce the conditions under which suspicious sessions can proceed, while alerting matters because it shortens the window between first abnormal action and containment.

Practical implication: add granular alerting for blocked logons, unusual connection types, and high-risk source locations so defenders can intervene before impact.


Threat narrative

Attacker objective: The attacker aims to gain control of directory identity so they can expand laterally, disable access, and maximise ransomware impact across the organisation.

  1. Entry occurs when attackers compromise a public interface such as VPN or RDP, phish user credentials, or exploit commonly used server software to establish a bridgehead into the environment.
  2. Escalation follows as the attacker uses Windows-native reconnaissance and AD read access to identify domain administrators, service accounts, and likely privilege pathways, then targets a privileged account or captures credentials in memory.
  3. Impact comes when the attacker moves laterally, disrupts directory services, or encrypts the domain controller, which can halt identity access and block downstream business or clinical systems.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Active Directory blindness is the real failure mode here. The article shows that attackers do not need a novel exploit when they can operate inside a directory environment with weak visibility, broad read access, and delayed detection. Once AD compromise becomes visible only after lateral movement has started, the programme has already lost its best containment opportunity. The practical conclusion is that directory observability is a governance control, not a monitoring add-on.

Directory compromise is a privilege problem before it is a ransomware problem. The attacker’s advantage comes from being able to discover who matters, where privilege sits, and which accounts can unlock the most systems. That is why service accounts and administrators remain such high-value targets in AD environments. IAM teams should read this as evidence that privilege mapping and account exposure are inseparable from resilience.

Contextual access controls matter because they shrink the attacker’s reuse window. MFA alone slows initial abuse, but the article is clear that lateral movement is the more dangerous phase once an account is compromised. Restricting connection types, devices, source locations, and concurrent sessions changes the attacker’s economics by making stolen credentials less reusable. The practitioner takeaway is that access context must be enforced where AD is actually used, not only where it is administered.

Healthcare makes identity outage a patient-care issue, not just a cyber issue. When directory services fail, records, test results, and supply chain access can all stall at once. That connects identity governance to operational resilience in a way many sectors do not feel as sharply. For healthcare organisations, AD protection belongs in continuity planning, because identity failure becomes service failure.

Identity blast radius is the right concept for this pattern. A single domain controller compromise can expand into broad access loss because AD concentrates authentication, authorisation, and trust relationships in one control plane. That means the measure of risk is not only whether access was gained, but how much of the environment the identity layer can expose or disable after compromise. Practitioners should evaluate AD as a blast-radius amplifier, not a background service.

From our research:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
  • That confidence gap reinforces why teams should tighten lifecycle control and visibility with NHI Lifecycle Management Guide and map directory exposure against the 52 NHI Breaches Analysis.

What this signals

Identity blast radius is the right planning lens for directory-centric ransomware defence. When AD is the control plane, the question is not only whether an account can be compromised, but how far the compromise can propagate before monitoring, contextual controls, or session restrictions stop reuse.

For healthcare teams, directory resilience should be treated as operational continuity work, not a narrow IAM project. If access to records, test systems, or supply chain workflows depends on AD uptime, then detection lag becomes a business-risk metric and a clinical-risk metric at the same time.


For practitioners

  • Harden domain controller access paths Restrict exposure of VPN, RDP, IIS, and other public entry points that can be used to establish a bridgehead, and enforce MFA on every remote authentication path.
  • Monitor directory reconnaissance early Alert on unusual domain administrator lookups, service account enumeration, and abnormal access from low-privilege accounts so reconnaissance is visible before escalation.
  • Apply contextual session restrictions Use device, IP range, workstation, department, and connection-type restrictions to reduce where a stolen session can be reused inside AD.
  • Tune alerts for blocked and rejected access Differentiate between blocked connections, MFA rejections, and successful access so teams can spot attack progression without drowning in generic noise.

Key takeaways

  • The article’s core warning is that Active Directory becomes a ransomware accelerator when visibility and contextual control are weak.
  • The evidence points to a familiar failure pattern: initial access, directory reconnaissance, privilege capture, and then lateral movement or domain-controller disruption.
  • The most effective limiting controls are MFA, session restriction, and granular alerting before the attacker can reuse access inside the directory.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Covers credential rotation and exposure patterns relevant to AD compromise and reuse.
NIST CSF 2.0PR.AC-4Access permissions and contextual restrictions map directly to AD session control.
NIST Zero Trust (SP 800-207)AC-4Zero Trust access enforcement fits the article's MFA and session-control emphasis.

Review privileged AD credential handling and reduce standing access that enables lateral movement.


Key terms

  • Active Directory: Active Directory is a central identity and directory service used to manage users, groups, and access across an enterprise. In practice, it becomes a high-value security boundary because a compromise there can expose privilege relationships, authentication paths, and downstream systems.
  • Domain Controller: A Domain Controller is the server that processes authentication and directory-related requests in an Active Directory environment. If it is compromised, an attacker may be able to observe, redirect, or disrupt the identity control plane that other systems rely on.
  • Lateral Movement: Lateral movement is the attacker behaviour of moving from one compromised account or host to another inside the environment. In identity-heavy networks, it often depends on reused credentials, broad read access, or weakly constrained sessions that let stolen access travel further.
  • Contextual Access Control: Contextual access control limits access based on attributes such as device, location, connection type, or time of day. For AD defence, it reduces the chance that a stolen credential can be reused freely and helps turn suspicious behaviour into a blocking event rather than an invisible one.

What's in the full article

IS Decisions' full article covers the operational detail this post intentionally leaves for the source:

  • How UserLock applies MFA on top of existing AD policies without reconfiguring domain policy design
  • The specific session and contextual control options available for workstation, device, IP range, OU, department, country, and time
  • Alert tuning examples for blocked logons, MFA rejections, and unusual access patterns
  • The vendor's practical explanation of how its controls aim to reduce lateral movement risk in on-premise AD

👉 The full IS Decisions article covers MFA layering, contextual controls, and AD monitoring detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-10-23.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org