By NHI Mgmt Group Editorial TeamPublished 2025-12-03Domain: Governance & RiskSource: Commvault

TL;DR: Ransomware recovery often fails first at identity, with more than 78% of human-operated attacks involving domain controller breaches and typical downtime measured in 22 days, according to Commvault. The practical lesson is that data recovery without clean AD and Entra ID restoration leaves organisations locked out of their own environment.


At a glance

What this is: This is a ransomware resilience analysis that argues identity systems, especially Active Directory and Entra ID, are often the first and most disabling casualties.

Why it matters: It matters because IAM, PAM, and recovery teams need identity restoration to be part of business continuity, not an afterthought to data backup.

By the numbers:

👉 Read Commvault's analysis of ransomware resilience for Active Directory and Entra ID


Context

Ransomware exposes a basic identity governance failure: organisations often protect data more carefully than the identity systems that control access to it. When Active Directory or Entra ID is corrupted, patched, or unavailable, recovery stalls because authentication, authorisation, and trust relationships cannot be re-established cleanly.

For identity teams, the real problem is not just encryption or outage. It is the loss of the control plane that makes the rest of the environment recoverable, which is why identity resilience has to sit alongside backup strategy, privileged access design, and disaster recovery planning.

Commvault frames the issue through a hurricane analogy, but the underlying point is operational: if you cannot restore identity from a clean state, you cannot prove ownership, re-enter systems, or safely bring services back online.


Key questions

Q: What breaks when Active Directory is unavailable during a ransomware recovery?

A: Authentication, authorisation, and trust restoration break first. If Active Directory is unavailable, organisations may still have data backups but they cannot reliably re-establish access to systems, users, and services. Recovery must therefore begin with clean identity restoration, or the rest of the environment remains locked out.

Q: Why do identity systems make ransomware recovery harder?

A: Identity systems define who can access what, and ransomware often targets that control plane directly. When directory services, trust relationships, or cloud identity settings are compromised, the organisation loses the mechanism needed to validate access and coordinate restore actions. That is why identity loss turns an outage into a prolonged recovery event.

Q: How do organisations know if their identity recovery plan is actually working?

A: The strongest signal is whether authentication can be restored from clean backups without reintroducing malicious changes or broken trust relationships. If users, administrators, and critical services can regain access quickly after a full recovery test, the plan is working. If not, the backup strategy is incomplete.

Q: Who is accountable for restoring identity after a ransomware incident?

A: Accountability usually spans IAM, infrastructure, security operations, and disaster recovery leadership because identity restoration sits across all four domains. The owning team should be defined before an incident, with clear runbooks for directory recovery, privileged access validation, and cloud identity synchronisation. Without that ownership, recovery becomes fragmented and slow.


Technical breakdown

Why ransomware recovery collapses when identity is lost

Ransomware does not only encrypt files. In many incidents, it disables the systems that prove who is allowed back into the environment, especially Active Directory and Entra ID. Those directories hold authentication state, group membership, trust relationships, and policy dependencies. If they are compromised, even clean backups of applications and data remain hard to use because the organisation has lost the identity fabric needed to authorise recovery actions. That is why identity restoration is not a secondary task. It is the prerequisite for rebuilding access, trust, and operational control.

Practical implication: treat AD and Entra ID restoration as a primary recovery objective, not a downstream infrastructure task.

Why immutable backups matter for directory recovery

A directory backup is only useful if it is clean, current enough, and isolated from the compromise. Immutable and air-gapped copies reduce the chance that ransomware persistence or credential tampering is reintroduced during restoration. For identity environments, this includes system state, directory configuration, privileged role mappings, and cloud identity policy settings. Recovery that uses contaminated backups can recreate the breach path instead of closing it. The operational goal is not simply to recover fast, but to recover without reimporting malicious changes or broken trust relationships.

Practical implication: keep offline, immutable identity backups and validate them before relying on them in a restore scenario.

How full-forest recovery differs from ordinary disaster recovery

A standard backup restore often assumes applications can come back once data is available. Full-forest recovery is different because it rebuilds the identity domain itself, including domain controllers, trusts, and the configuration dependencies that make authentication possible. In hybrid estates, Entra ID settings and on-prem directory state must be restored in sync or users, devices, and services can remain stranded. The key technical issue is coordination across identity tiers, not just file recovery. Without that, the organisation may recover storage but still lack a usable access model.

Practical implication: test forest-level recovery as a separate scenario from data restore and include cloud identity in the exercise.


Threat narrative

Attacker objective: The attacker aims to paralyse operations by breaking the identity layer that would otherwise let the organisation recover and resume access.

  1. Entry occurs through weak credentials, unpatched systems, or flat network paths that give attackers a foothold in the environment.
  2. Escalation follows when domain controllers, directory stores, or trust relationships are breached, allowing attackers to disable identity services and widen lockout impact.
  3. Impact is operational paralysis because authentication, authorisation, and recovery workflows stop functioning, leaving the organisation unable to re-enter systems or restore trust.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Identity resilience is now a business continuity control, not just an IAM concern. The article is correct to treat identity loss as the point where ransomware turns from disruption into lockout. When Active Directory or Entra ID fails, the organisation loses the ability to authenticate, authorise, and trust its own systems. Practitioners should stop treating identity restoration as an adjacent recovery task and treat it as part of resilience design.

Clean, immutable identity backups are the difference between recovery and reinfection. Directory backups that are not isolated from the compromise can preserve malicious changes, broken trust links, or poisoned policy state. The resilience lesson is simple: if the backup can be altered by the same blast radius that hit production, it is not a recovery asset. Identity teams should assume contaminated restore paths until proven otherwise.

Full-forest recovery exposes the gap between data protection and identity protection. Many recovery programmes can restore storage before they can restore access. That sequencing is backwards for directory-driven environments because business services depend on identity being operational first. The implication is that recovery architectures must be built around the control plane, not only the data plane.

Identity blast radius is the right concept for ransomware planning. A directory outage does not stay confined to one server or one application. It spreads through trust chains, role dependencies, and authentication policies, which is why a single compromise can force a forest rebuild. Practitioners should map how far an identity failure propagates before they define recovery objectives.

Role-based access and privileged identity controls reduce the damage window, but they do not replace recovery design. The article’s strongest point is that prevention and restoration are linked. Limiting blast radius helps, yet organisations still need rehearsed restore paths for AD and Entra ID because no access-control model survives a fully disrupted identity layer without recovery capability.

From our research:

  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which means many recovery plans cannot verify which non-human identities remain active after an incident.
  • Forward pivot: The NHI Lifecycle Management Guide explains how provisioning, rotation, and offboarding controls reduce the chance that stale identity state survives a recovery event.

What this signals

Identity recovery will become a board-level resilience metric. Ransomware planning is moving away from backup volume and toward the speed at which identity can be restored cleanly. With 97% of NHIs carrying excessive privileges according to our Ultimate Guide to NHIs, blast-radius control and recovery sequencing now belong in the same programme conversation.

Identity blast radius: the scope of systems that fail when one directory or access control layer is compromised. Programmes that cannot model that blast radius will overestimate their recovery readiness and underestimate how long lockout will persist after a ransomware event.

Identity teams should expect more convergence between disaster recovery, PAM, and identity governance because clean restoration depends on all three. The practical watchpoint is whether identity state, privileged access, and cloud policy can be rebuilt together without relying on the compromised environment.


For practitioners

  • Inventory identity recovery dependencies Map every service, application, device, and privilege path that depends on Active Directory or Entra ID before defining recovery priorities. Include trust relationships, conditional access dependencies, and privileged role assignments so you know which business services fail first when identity is unavailable.
  • Maintain isolated, immutable identity backups Store clean copies of directory state, configuration, and cloud identity policy in an air-gapped or otherwise isolated location. Validate that the backup set cannot be modified by the same administrative pathways used in production.
  • Run full-forest recovery drills Exercise complete AD recovery scenarios, not just file restores, and include Entra ID restoration in hybrid environments. Measure how long it takes to restore authentication, not just how quickly data returns.
  • Limit identity blast radius before an incident Use privileged identity management, segmentation, and role-based access to reduce how far a compromised account can move. The goal is to keep a directory compromise from becoming a full trust-chain collapse.
  • Validate recovery against reinfection paths After every restore, check for residual credential contamination, broken trust links, and policy drift before re-opening access. Validation should be part of the recovery runbook, not an afterthought.

Key takeaways

  • Ransomware recovery often fails at the identity layer first, because losing AD or Entra ID breaks authentication, trust, and access restoration.
  • The scale of the problem is operational as well as financial, with ransomware downtime measured in weeks and recovery costs regularly reaching seven figures.
  • Identity-aware resilience requires immutable backups, full-forest recovery drills, and blast-radius reduction before an incident occurs.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03The article centres on credential and identity recovery failures after ransomware.
NIST CSF 2.0RC.RP-1Recovery planning is the core issue when identity services are hit by ransomware.
NIST Zero Trust (SP 800-207)Zero Trust is referenced as the model for limiting blast radius and validating access.
NIST SP 800-53 Rev 5CP-9Backup and recovery controls directly apply to AD and Entra ID restoration.
MITRE ATT&CKTA0006 , Credential Access; TA0040 , ImpactThe incident pattern involves credential compromise followed by operational lockout.

Treat directory backups, secret hygiene, and offboarding state as part of the NHI recovery baseline.


Key terms

  • Identity Blast Radius: The amount of infrastructure, access, and business process that fails when one identity layer is compromised. In directory-driven environments, blast radius often spreads through trust chains, privileged roles, and dependent services, which is why recovery planning must model identity dependencies, not just server failure.
  • Full-Forest Recovery: A recovery approach that rebuilds an entire Active Directory forest rather than restoring isolated components. It is used when directory trust, replication, or control plane integrity is suspect, and it must be coordinated with cloud identity settings in hybrid environments so access can be re-established cleanly.
  • Immutable Identity Backup: A backup copy of identity state or configuration that cannot be changed by production administrative paths. This matters because restore media that can be altered by the same compromise path as live identity may reintroduce malicious settings, stale trust, or credential contamination during recovery.
  • Identity Restoration Sequencing: The order in which authentication, trust, directory services, and dependent applications are brought back online after a major incident. In ransomware events, the sequence matters because restoring data before identity can leave the organisation with usable files but no secure way to access them.

What's in the full article

Commvault's full article covers the operational detail this post intentionally leaves for the source:

  • The article lays out the full hurricane-to-ransomware analogy used to structure the resilience argument.
  • It includes the complete assess, protect, isolate, recover, evolve blueprint for identity recovery planning.
  • It describes Commvault's full forest recovery and Entra ID protection workflow in more implementation detail.
  • It expands the FAQ with recovery sequencing guidance for AD, cloud identity, and trust restoration.

👉 Commvault's full article covers the identity recovery blueprint, forest restore sequence, and resilience guidance in more detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM, PAM, or identity resilience programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-12-03.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org