TL;DR: Government and public sector organisations are being targeted by ransomware with the same playbook as private-sector victims, and once attackers gain a weak credential they often move into Active Directory, where visibility is limited and compromise can spread quickly, according to IS Decisions. The real issue is not just initial access but the assumption that AD can be protected by perimeter controls alone.
At a glance
What this is: This analysis argues that public sector ransomware defence starts with stronger Active Directory controls, especially MFA, session restrictions, and account monitoring.
Why it matters: It matters because AD still anchors identity for many public sector environments, so weak credential handling and poor internal visibility can turn one foothold into broad compromise across human and non-human access paths.
👉 Read IS Decisions' analysis of Active Directory ransomware defence for public sector teams
Context
Ransomware in government is not a niche problem. Public sector environments often combine tight budgets, legacy infrastructure, and long approval chains, which makes identity control gaps more exploitable once an attacker gets a foothold. In practice, the issue is not whether a sector pays ransom, but whether an attacker can use one compromised credential to move through the environment.
Active Directory remains a core identity control plane in many on-premises environments, which makes it a high-value target after initial compromise. The key governance problem is simple: if teams can authenticate users at the edge but cannot constrain or observe what happens inside AD, they are treating identity as a login problem instead of an access control problem.
Key questions
Q: How should security teams reduce ransomware risk in Active Directory environments?
A: Start by reducing the number of paths a valid account can use after authentication. MFA should protect privileged actions, while session controls, device restrictions, and monitoring should limit lateral movement inside AD. The goal is not just stronger login security. It is to make a stolen credential far less useful once an attacker is already inside.
Q: Why do weak AD controls increase ransomware impact in public sector networks?
A: Because AD often governs internal trust relationships, a single compromised account can become a launch point for broader access. When visibility is limited and privilege boundaries are loose, attackers can move quietly from one system to another before encryption begins. That turns one credential failure into a domain-wide containment problem.
Q: What do teams get wrong about MFA in legacy identity environments?
A: They often treat MFA as a complete defence when it is really one layer in a broader access control model. MFA helps block password theft, but it does not by itself restrict what a validated account can do inside the network. Teams still need session boundaries and monitoring to reduce the attacker’s room to manoeuvre.
Q: Who is accountable when ransomware spreads through Active Directory?
A: Accountability usually sits with the identity, infrastructure, and security teams that own AD governance, monitoring, and privileged access policy. If the environment allows broad internal trust, the issue is not only attack sophistication. It is also a governance decision about how much access remains available after initial compromise.
Technical breakdown
Why Active Directory becomes the ransomware control point
Active Directory is the internal authority for authentication, authorization, and many downstream privilege decisions in on-premises environments. Once an attacker reaches a valid account, AD can become the mechanism that exposes group membership, elevated permissions, and lateral movement paths. That is why ransomware operators often focus on credential theft first and domain controller access second. The technical weakness is not merely that AD exists, but that many environments lack sufficient internal telemetry and enforcement around it. Without that visibility, compromise can remain hidden until the attacker has already expanded access across the domain.
Practical implication: treat AD as a monitored security boundary, not just an authentication service.
How MFA helps, and where it stops
Multi-factor authentication reduces the value of a stolen password, but it does not eliminate downstream risk if the attacker can still authenticate through another path or reuse trusted sessions. In on-premises AD, MFA can also be difficult to extend consistently across legacy workflows, admin prompts, and mixed connection types. That matters because attackers do not need to win every control. They only need one reliable path that reaches privileged resources. MFA is therefore necessary, but by itself it does not solve the internal movement problem that ransomware operators exploit once they have a foothold.
Practical implication: apply MFA where privilege is exercised, not only where users first sign in.
Session controls and monitoring reduce lateral movement
Session-based controls narrow what a compromised account can do after authentication. By restricting connection types, device or IP scope, workstation access, and concurrent sessions, defenders reduce the blast radius of stolen credentials. Monitoring then closes the loop by flagging unusual access attempts, blocked connections, and failed MFA events. This matters because ransomware activity is often visible as abnormal movement before encryption begins. The most useful controls are those that make lateral movement noisy, constrained, and harder to repeat across accounts and endpoints.
Practical implication: pair access constraints with alerting so compromise becomes observable before it becomes domain-wide.
Threat narrative
Attacker objective: The attacker aims to turn one compromised credential into broad internal control, then use Active Directory access to support ransomware deployment and maximise disruption.
- Entry typically begins with a weak or stolen account credential that gives the attacker an initial foothold in the network. Once inside, the attacker uses that foothold to reach internal identity infrastructure rather than attacking every asset directly.
- Escalation happens when the attacker targets Active Directory domain controllers, harvested credentials, or trusted sessions to expand privileges and move laterally through the environment. The goal is to operate invisibly behind existing defenses while increasing reach.
- Impact occurs when the attacker gains enough domain-level access to disable defences, move through internal systems, and support ransomware deployment at scale. In this model, AD compromise turns a local intrusion into enterprise-wide disruption.
Breaches seen in the wild
- Cisco Active Directory credentials breach — Kraken ransomware group leaked Cisco Active Directory credentials.
- MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Active Directory ransomware is an identity governance problem, not just a malware problem. The article is right to emphasise MFA and internal controls, but the deeper issue is that many public sector programmes still treat AD as a directory service rather than the control plane that decides how far a stolen credential can travel. Ransomware succeeds when identity is trusted too broadly inside the environment. Practitioners need to govern AD as an enforcement layer, not merely an authentication layer.
Standing access inside legacy identity stacks creates the conditions ransomware actors want. Tight budgets and older infrastructure do not just slow remediation, they preserve default trust relationships that attackers can reuse once they land. That is why the relevant failure mode is identity blast radius: one compromised account can still open too many internal doors if session scope and privilege boundaries are weak. The implication is that internal trust assumptions must be reduced before an intruder ever reaches AD.
Session-level enforcement is the right control primitive for compromised account defence. MFA at sign-in is necessary, but ransomware operators care about what a valid account can still do after authentication. Controls that bind access to workstation, device, connection type, or location make lateral movement harder to automate and easier to detect. The field should stop treating post-login governance as optional hardening. Practitioners should measure how much privilege remains usable after initial compromise.
Public sector ransomware exposure exposes a governance mismatch between threat reality and identity operating models. Many government environments still assume that budget constraints justify lighter identity controls, yet attackers increasingly target sectors where disruption itself is the payoff. That assumption fails when the adversary does not need ransom payment to win. The implication is that identity programmes must prioritise containment and observability over assumptions about attacker economics.
AD visibility gaps make detection dependent on attacker mistakes. When a core identity platform has no built-in monitoring, defenders only learn about compromise after privilege escalation or encryption activity becomes obvious. That is not monitoring, it is delayed discovery. Practitioners should treat missing AD telemetry as a governance defect, because if the control plane cannot be observed, it cannot be governed.
From our research:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
- That gap is why identity teams should also review Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs alongside AD hardening, because lifecycle control and runtime access control have to work together.
What this signals
Identity teams should expect more pressure to treat internal access as a containment problem, not a login problem. In environments where AD remains the internal authority, the useful question is not whether MFA exists, but how much access remains usable after a credential is validated. The programme signal is clear: session governance, alerting, and privileged access boundaries now matter as much as perimeter authentication.
Identity blast radius is the concept public sector teams need to operationalise. The phrase describes how far a compromised account can travel before it is stopped by policy, telemetry, or approval. When a legacy environment still allows broad trust after login, the blast radius becomes the real measure of ransomware exposure, not the number of authentication checkpoints.
As secret exposure and credential misuse remain persistent operational issues, the control stack has to connect AD, PAM, and lifecycle governance. For teams maturing their programmes, the practical shift is to treat leaked or misused credentials as a governance signal that should feed access review, privilege scoping, and incident response together, not as separate workstreams.
For practitioners
- Map AD attack paths before hardening the perimeter. Inventory which accounts, admin groups, and connection types can reach domain controllers or privileged resources, then identify where one stolen credential could still move laterally without additional challenge.
- Enforce MFA at the point of privilege use. Require step-up authentication for administrative actions, UAC prompts, and high-risk connection types so a compromised session cannot freely reuse trust after the initial login.
- Constrain sessions by device and context. Limit access by workstation, IP range, department, country, and connection type so compromised credentials have less room to move across legacy networks.
- Instrument alerts for abnormal AD behaviour. Set alerts for blocked connections, repeated MFA failures, unusual connection types, and access from unexpected locations, then route them to teams that can respond before attacker movement spreads.
Key takeaways
- Ransomware in government is fundamentally an identity containment problem because attackers often turn one stolen credential into broad internal access through Active Directory.
- MFA is necessary but insufficient on its own, because post-login session scope and monitoring determine how far an attacker can move once authenticated.
- Public sector teams should prioritise access boundaries, alerting, and AD visibility before assuming legacy identity infrastructure can absorb modern ransomware tactics.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Identity controls and least privilege are central to limiting ransomware spread through AD. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires continuous verification inside the network, not only at sign-in. | |
| OWASP Non-Human Identity Top 10 | NHI-03 | Credential misuse and poor lifecycle control are core NHI failure modes in AD-adjacent environments. |
Map AD access paths to PR.AC-4 and reduce internal trust wherever a stolen credential could move laterally.
Key terms
- Active Directory: Active Directory is Microsoft’s identity and directory service used to authenticate users, manage groups, and control access across many on-premises Windows environments. In security terms, it is often the internal authority that determines how far a credential can be trusted once a user is inside the network.
- Identity blast radius: Identity blast radius is the amount of access an attacker can reach after compromising one account. It measures how much trust remains usable after authentication, including privilege scope, session reuse, and lateral movement paths. Smaller blast radius means tighter internal containment and less opportunity for ransomware spread.
- Session-based access control: Session-based access control limits what a user or account can do after login by checking context such as device, location, connection type, or time. It is especially useful in legacy identity environments because it reduces the value of a stolen credential even after authentication succeeds.
- Lateral movement: Lateral movement is the process attackers use to move from one compromised system or account to another inside a network. In identity-heavy environments, it often depends on reused credentials, overbroad privilege, or weak internal verification, which is why containment controls matter as much as perimeter defenses.
What's in the full article
IS Decisions' full article covers the operational detail this post intentionally leaves for the source:
- Practical configuration guidance for applying MFA to AD sessions and connection types without forcing an identity provider migration.
- Examples of session and contextual controls that can restrict workstation, IP range, country, department, and connection-type access.
- Monitoring and alert criteria for unusual access attempts, blocked connections, and MFA failures across Active Directory activity.
- Deployment considerations for on-premises environments running existing AD policies on a single server.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-04-29.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org