By NHI Mgmt Group Editorial TeamPublished 2025-12-11Domain: Governance & RiskSource: IS Decisions

TL;DR: Financial services ransomware remains stubbornly common, with Sophos reporting that 65% of surveyed organisations were affected in 2024, while the article argues that inconsistent MFA, weak privilege controls, and limited AD monitoring still leave authentication gaps attackers can exploit. The core issue is not the existence of controls, but their uneven application across accounts and access paths.


At a glance

What this is: This article argues that inconsistent MFA and weak Active Directory controls still leave ransomware attackers with a reliable path through compromised credentials.

Why it matters: It matters because Active Directory remains a control plane for both human and non-human access, and gaps there can turn a single credential failure into lateral movement and ransomware spread.

By the numbers:

👉 Read IS Decisions' analysis of MFA gaps in Active Directory ransomware defence


Context

The security gap here is straightforward: authentication controls only reduce ransomware risk when they are applied consistently across every account and access path. In Active Directory environments, that means MFA, privilege controls, and session oversight cannot stop at the first login or the most sensitive users.

For IAM teams, this is not just a perimeter issue. It is a governance problem across human accounts, service accounts, and privileged access in hybrid Windows estates, where a single compromised credential can become the entry point for lateral movement, escalation, and domain-wide impact.


Key questions

Q: How should teams enforce MFA consistently across Active Directory accounts?

A: Start by identifying every account that can authenticate into AD, including admin, service, break-glass, and remote-access accounts. Then enforce MFA at each usable entry point and remove exceptions that bypass the control for convenience. Consistency matters more than partial coverage because attackers only need one weak path to turn a credential into internal access.

Q: Why do compromised credentials still lead to ransomware in well-defended networks?

A: Because many environments protect initial login better than they protect post-authentication movement. If privilege elevation, session reuse, and internal access are not separately controlled, a valid credential can still move laterally and reach critical systems. Ransomware actors exploit the gap between authentication success and internal trust.

Q: What do security teams get wrong about MFA in hybrid Windows environments?

A: They often treat MFA as a sign-in project instead of an access-governance control. In hybrid estates, the real risk appears when MFA is not applied to every account, every privileged action, and every session context. That leaves a path for attackers to authenticate once and then expand access inside the network.

Q: Who is accountable when a stolen credential is used to trigger ransomware through Active Directory?

A: Accountability sits with the teams that own identity policy, privileged access, and exception management, not just endpoint security. If MFA coverage is incomplete or elevation paths are unprotected, identity governance owns part of the failure. Frameworks such as NIST CSF and zero trust architecture expect access to be continuously verified, not assumed safe after first login.


Technical breakdown

Why Active Directory credentials remain a ransomware foothold

Active Directory is often the control layer attackers target after initial credential theft because it centralises identity, group membership, and authorisation decisions. If a user or service credential is reused, over-permissioned, or protected inconsistently, the attacker can authenticate as a legitimate principal and then operate inside the environment. The article’s point is that this is not a novel exploit chain. It is an access-control failure that becomes exploitable when controls are partial, exception-driven, or limited to a subset of accounts.

Practical implication: map every AD account to its authentication requirements and close any MFA exceptions.

How MFA and privilege elevation controls block lateral movement

MFA on initial logon is useful, but it does not fully address post-authentication movement if privilege escalation paths remain open. The article highlights Windows UAC prompts as one example where stolen credentials can be used to chase higher privilege if the elevation step is not separately protected. Contextual controls add another layer by tying access to session type, device, location, and concurrency. That makes the stolen credential less reusable even when authentication succeeds.

Practical implication: apply MFA and step-up approval to privilege elevation, not only to primary sign-in.

Why session-based controls matter in on-prem and hybrid estates

Session-based access control limits the usefulness of a stolen credential after authentication. By constraining concurrent sessions, device context, geolocation, and time-based access, teams reduce the attack surface available to an intruder who has already crossed the first gate. In hybrid environments, this matters because the authentication perimeter is no longer a single wall. It is a chain of checks, and the weakest link is often the account that was exempted from a policy because it was deemed operationally inconvenient.

Practical implication: enforce contextual restrictions on all high-risk sessions and remove policy exemptions for convenience.


Threat narrative

Attacker objective: The objective is to turn one compromised credential into broad internal access that supports encryption, disruption, and control of the victim environment.

  1. Entry begins when an attacker obtains a valid credential, then uses it to authenticate against Active Directory or a perimeter-connected account that lacks consistent MFA coverage.
  2. Escalation follows when the attacker uses the authenticated session to reach domain controllers, privilege elevation paths, or other internal resources that were not separately protected.
  3. Impact occurs when the attacker moves laterally, disrupts core identity services, or deploys ransomware after the environment has already trusted the compromised credential.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Standing authentication exceptions are the real ransomware liability. The article shows that MFA exists in many environments but is applied unevenly, especially where legacy AD estates create friction. That means the problem is not control absence alone, but policy drift across accounts, elevation paths, and hybrid access. For IAM leaders, the lesson is that every exception becomes part of the attack surface.

Active Directory is still a governance system, not just a directory. Once attackers authenticate, the blast radius depends on how much privilege the directory silently concentrates and how many elevation paths remain unguarded. This is where NIST CSF access governance and OWASP NHI-style privilege discipline intersect with traditional IAM practice. The practical conclusion is that AD identity policy must be treated as operational risk management, not login configuration.

Context-aware access is now a control requirement for hybrid identity estates. The article’s focus on session limits, geolocation, device checks, and privilege prompts shows that credential validity alone is too weak a trust signal. When a stolen credential can be reused from a new context, the identity programme has lost visibility into who is acting and from where. Practitioners should treat context as a first-class authorisation input, not a bolt-on feature.

Credential trust debt: static trust assumptions outlive their usefulness in on-prem environments. MFA policies, once selectively deployed, can accumulate trust debt when administrators preserve legacy access patterns for convenience. That debt is paid by attackers who exploit the gaps between sign-in protection, elevation controls, and session oversight. The implication is simple: review where authentication policy still depends on historical exceptions instead of current risk.

From our research:

  • 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
  • For a broader governance lens, see 52 NHI Breaches Analysis for recurring credential and privilege failure patterns.

What this signals

Credential trust debt: identity programmes that leave MFA inconsistent across accounts accumulate risk faster than they can remediate it. In hybrid environments, the control gap is not merely technical. It is organisational, because exceptions survive longer than the policy decisions that created them.

The next governance step is to treat sign-in, privilege elevation, and session context as one chain of control rather than separate projects. That is how identity teams reduce the gap between authentication success and internal compromise, especially where legacy AD still anchors operational access.

As access governance expands across human, machine, and increasingly autonomous actors, the lesson from this article becomes more transferable, not less. Continuous verification is now a programme design issue, not a single control choice.


For practitioners

  • Audit MFA coverage across every AD account Inventory all interactive, administrative, service, and exception accounts, then verify that MFA is enforced consistently across primary sign-in and privileged access paths.
  • Protect privilege elevation separately Require step-up verification for Windows UAC prompts and any other path that raises privilege after initial authentication, rather than assuming the first login is enough.
  • Constrain stolen-session utility Use contextual access rules to limit concurrent sessions, high-risk device combinations, and anomalous location or session-type patterns so a compromised credential cannot roam freely.
  • Remove policy exemptions for legacy access Review any account or network segment where MFA is partial, optional, or absent, and retire exceptions that persist only because the environment is old or inconvenient to change.

Key takeaways

  • The article’s core warning is that partial MFA coverage leaves identity gaps attackers can still exploit for ransomware.
  • The scale of the problem is reinforced by the financial services ransomware rate cited in the source, which shows that even security-conscious sectors remain exposed.
  • The practical fix is to govern authentication, privilege elevation, and session context as one control chain, not as isolated security tasks.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Covers access permissions and authentication governance in AD estates.
NIST Zero Trust (SP 800-207)AC-3Continuous verification fits the article’s emphasis on contextual access and session controls.
OWASP Non-Human Identity Top 10NHI-03Credential rotation and access discipline align with the article’s compromised credential theme.

Treat every standing credential path as an attack surface and remove unused or weakly governed access.


Key terms

  • Active Directory: Active Directory is Microsoft's directory service for managing identities, groups, and access across Windows environments. In practice, it becomes a control plane for authentication and authorization, so compromise or misconfiguration can give attackers broad reach across users, devices, and servers.
  • Contextual Access Control: Contextual access control evaluates attributes such as device, location, session type, and concurrency before allowing access. It reduces the value of stolen credentials because a successful login is not automatically trusted in every context or at every stage of a session.
  • Privilege Elevation: Privilege elevation is the process of moving from standard access to higher-risk administrative or system-level access. In identity governance, it is a critical checkpoint because attackers often exploit elevation paths after initial authentication rather than attacking the first login directly.

What's in the full article

IS Decisions' full article covers the operational detail this post intentionally leaves for the source:

  • Configuration guidance for applying MFA alongside existing Active Directory policies
  • Examples of contextual controls for device, geolocation, session type, and concurrent sessions
  • Details on how session-based alerts and monitoring work in an on-prem Windows network
  • Practical discussion of how to reduce lateral movement risk during privilege elevation

👉 The full IS Decisions article covers contextual access controls, session monitoring, and AD-specific protection details.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-12-11.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org