TL;DR: ANUBIS ransomware attackers claimed a breach at Grand Rapids Controls and exposed engineering specifications, financial records, NDAs, directory structures, and employee data, according to Gurucul. The incident shows how broad file access and weak segmentation can turn one compromise into operational, legal, and fraud risk.
At a glance
What this is: A ransomware breach at Grand Rapids Controls exposed sensitive engineering, finance, HR, and contractual data, showing how broad file access can amplify operational impact.
Why it matters: Manufacturing, engineering, and enterprise IAM teams should treat directory sprawl, weak access scoping, and unrestricted file movement as identity and governance problems, not just security hygiene.
👉 Read Gurucul's analysis of the Grand Rapids Controls ransomware breach
Context
Grand Rapids Controls is a manufacturing and engineering data breach story, but the identity lesson is broader: once attackers reach shared repositories and internal directory structures, the blast radius is determined by access design, not by the initial intrusion alone. In environments like this, sensitive records are often grouped by function, which makes entitlement boundaries as important as perimeter defenses.
For IAM, IGA, and PAM teams, the critical question is how much sensitive data a compromised account can enumerate, copy, or traverse after first access. When engineering specifications, financial records, HR materials, and legal agreements sit behind loosely separated file paths, identity controls become the last meaningful line between a ransomware event and a full operational disclosure.
Key questions
Q: What breaks when shared file access is too broad in a ransomware incident?
A: Broad file access turns a single compromise into multi-domain exposure. If one account can read engineering, finance, HR, and legal content, attackers can steal high-value data without escalating into every system. That widens extortion leverage, increases fraud risk, and makes containment harder because the breach path is defined by entitlement scope, not just malware behaviour.
Q: Why do directory structures matter to IAM and security teams?
A: Directory structures reveal how access is organised and where sensitive information is concentrated. When folders mirror business functions but permissions are inherited or loosely controlled, an attacker can navigate the environment faster and find more valuable material. IAM teams should treat directory mapping as part of access governance because it exposes the real blast radius of an account.
Q: How can organisations reduce the impact of data theft after a ransomware breach?
A: Reduce the amount of sensitive data any one account can reach, especially across business functions. Then combine exfiltration monitoring with entitlement review so you can quickly identify which identities touched the affected repositories. That limits how much material attackers can leak, reuse for phishing, or weaponise for coercion.
Q: Who is accountable when broad file permissions enable a ransomware leak?
A: Accountability sits with the teams responsible for identity governance, data access design, and repository ownership. If permissions were never scoped to business need, or if recertification did not remove cross-functional access, the breach is a governance failure as much as a security event. Compliance, IAM, and data owners all need a shared view of access scope.
Technical breakdown
Why directory structures matter in ransomware breaches
Directory trees are not just storage conventions. They are access maps that often reveal how an organisation organises privilege, where sensitive material lives, and which groups can reach it. When a threat actor lands in a file share or document repository, folders such as Finance, HR, and Engineering can quickly expose high-value data without requiring deeper system compromise. In practical terms, the structure of the file system can accelerate reconnaissance, data harvesting, and follow-on targeting. Good identity governance should therefore treat folder-level access as an entitlement boundary, not an administrative convenience.
Practical implication: review shared repositories for folder-level overexposure and remove broad read access before a ransomware event turns into mass data exposure.
Why privileged file access turns one compromise into many
Ransomware groups often do not need domain domination to cause serious damage. If a compromised account has access to engineering documents, internal incident reports, contracts, and financial records, the attacker can extract multiple business functions from one foothold. That is an identity problem because the breach outcome depends on which accounts were allowed to move laterally across data domains. Least privilege only works when access is scoped to a task and periodically revalidated. Otherwise, one credential becomes a path into several separate risk surfaces, including legal, operational, and financial exposure.
Practical implication: map privileged file access to business function and remove cross-domain read permissions that are not essential to the role.
How exposed records support extortion and follow-on fraud
Once attackers exfiltrate sensitive documents, the breach shifts from containment to leverage. NDA agreements, engineering specifications, banking records, and employee data can be used to increase ransom pressure, impersonate staff, or seed targeted phishing against partners and employees. That makes post-exfiltration identity control as important as detection. Attackers frequently use stolen data to improve social engineering quality and to identify internal naming conventions, approvers, and vendors. The result is a longer tail of identity abuse that can continue well after the initial incident is closed.
Practical implication: pair exfiltration monitoring with account review and communication hardening so stolen organisational data cannot be reused for identity attacks.
Threat narrative
Attacker objective: The objective was to steal high-value business data, increase extortion leverage, and create long-tail fraud and reputational damage.
- Entry occurred through an initial compromise that let the ransomware group reach internal systems and shared data repositories.
- Escalation followed as the attackers accessed broad file locations containing engineering, finance, HR, and legal documents beyond a single business unit.
- Impact came through data exfiltration and public leak pressure, creating operational disruption, regulatory exposure, and downstream fraud risk.
Breaches seen in the wild
- MITRE ATT&CK Enterprise Matrix — MITRE ATT&CK Enterprise — adversary tactics and techniques, threat detection, attack chain mapping, credential access, lateral movement, privilege escalation.
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Directory sprawl is now an identity control problem, not a storage problem. Once attackers can see how Engineering, Finance, HR, and Legal content is organised, the file system becomes a map of entitlement weakness. That means the governance failure sits in how access was structured before the breach, not only in what the attacker stole. Practitioners should treat folder hierarchy as a control surface, not a convenience layer.
Cross-domain read access creates an identity blast radius that ransomware operators exploit directly. A single compromised account should not be able to move from operational documents into financial records and personnel files unless governance has already failed. The breach illustrates that least privilege must be evaluated across data domains, not just across applications or endpoints. Security teams should measure how many business functions each account can reach, because that number often predicts breach severity better than the initial attack vector.
Leak severity is determined by what the attacker can enumerate after access, not just by the compromise itself. Engineering specifications, NDAs, banking records, and directory structures each add a separate abuse path for extortion, impersonation, and targeted phishing. That is why NHI and human IAM teams need to look at information exposure together: a breached account with broad read access can become a credential for fraud even if no privileged system access was obtained. Practitioners should reassess which accounts can discover sensitive content at scale.
Identity governance for manufacturing environments has to include document access and internal directory mapping. The exposed material shows that regulated and commercially sensitive records can sit behind ordinary user entitlements rather than explicit privileged systems. That breaks the old assumption that only production systems or admin accounts matter in ransomware defence. The implication is that recertification, entitlement scoping, and data domain segmentation must extend to shared drives, document platforms, and directory structures.
ANUBIS-style extortion thrives when organisations cannot answer who could access what before the breach. The more difficult it is to reconstruct access scope across business units, the easier it is for attackers to turn one compromise into a company-wide disclosure event. That makes identity visibility a resilience requirement, not a back-office control. Practitioners should be able to prove which roles could reach which records before an incident occurs.
From our research:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to the same report.
- That pattern reinforces why many teams also use The 52 NHI breaches Report when mapping repeated compromise behaviour across identity estates.
What this signals
Manufacturing breaches like this are increasingly identity-shaped events: once attackers reach shared repositories, the programme weakness is not only detection but also the structure of access itself. Teams that still separate file governance from IAM will miss the control point that determines whether a compromise stays local or becomes enterprise-wide. A better model is to treat document repositories, directory structures, and entitlement reviews as one governance domain.
Identity blast radius: the usable reach of a compromised account across data domains, folders, and business functions. In practice, that means a single over-privileged user or service account can turn a ransomware event into a broad disclosure problem even without deep system compromise. Security leaders should measure blast radius per role and make that metric part of access review and incident planning.
The next maturity step is not just faster response. It is being able to prove, before an incident, which identities could enumerate which sensitive records and whether that access still matches business need. That is the difference between a contained theft event and a disclosure incident with legal, operational, and fraud consequences.
For practitioners
- Tighten folder-level entitlement boundaries Review shared drives, document repositories, and collaboration spaces so Engineering, Finance, HR, and Legal data are separated by explicit access groups rather than inherited broad permissions.
- Map cross-domain read access Inventory which accounts can read multiple business functions and remove any entitlement that lets one user or service account traverse unrelated sensitive datasets.
- Revalidate directory structures against business need Treat directory trees as governance objects and recertify them the same way you recertify application access, especially where internal folders reveal operating structure.
- Pair exfiltration monitoring with identity review When large file transfers or leak indicators appear, immediately review which identities had access to the affected repositories and whether those entitlements were broader than needed.
Key takeaways
- The breach shows that broad file access can turn one ransomware foothold into exposure across engineering, finance, HR, and legal data.
- The scale of harm depends on entitlement design and directory visibility, not just on the malware or initial entry point.
- Reducing cross-domain read access and recertifying shared repositories are the controls most likely to shrink breach blast radius.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Broad file access and exposed sensitive data map to NHI credential and entitlement governance gaps. |
| MITRE ATT&CK | TA0009 , Collection; TA0010 , Exfiltration; TA0040 , Impact | The breach centers on data collection, exfiltration, and ransomware impact. |
| NIST CSF 2.0 | PR.AC-4 | Least privilege and access authorisation directly apply to shared data repositories. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege is the core control for limiting what a compromised account can read. |
| NIST Zero Trust (SP 800-207) | Section 3.4 | Zero trust principles support limiting implicit trust in internal directories and shared storage. |
Map repository exposure to ATT&CK collection and exfiltration tactics, then tighten detection on bulk access and leakage.
Key terms
- Identity Blast Radius: The total amount of data, systems, and business functions a compromised identity can reach before controls stop it. In practice, this is a better indicator of breach severity than the first access point because it captures how much harm an attacker can cause from one account.
- Cross-Domain Read Access: Permission that lets one identity view information across multiple business areas that should be separated by function or sensitivity. It is often hidden inside inherited permissions and shared folders, and it becomes dangerous when attackers use one account to gather data from several departments at once.
- Directory Structure Exposure: The disclosure of how files and folders are organised inside an environment, including the names of departments, projects, and sensitive repositories. Attackers use it to navigate faster, identify high-value targets, and infer where to find documents that can drive extortion or follow-on fraud.
- Ransomware Leak Pressure: The use of stolen data as leverage after initial compromise, usually to force payment by threatening public release. It extends the incident beyond encryption because the attacker can weaponise documents, records, and organisational context to increase reputational and legal damage.
What's in the full article
Gurucul's full article covers the operational detail this post intentionally leaves for the source:
- The specific leaked data samples and how each category increases operational, legal, or fraud exposure.
- The article's own recommended control stack for reducing ransomware impact across user and system access.
- The incident context around the ANUBIS leak claim and how the exposure may affect affected stakeholders.
- The full list of prevention recommendations, including monitoring, segmentation, and incident response measures.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2025-11-27.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org