TL;DR: Ransomware crews are increasingly targeting Active Directory and domain controllers because compromise of the identity core turns a local foothold into broad enterprise control, as illustrated by Marks & Spencer and Change Healthcare, according to Illumio. Identity-layer containment, not just endpoint defense, now defines whether lateral movement becomes full compromise.
At a glance
What this is: This is an analysis of why ransomware groups target Active Directory and domain controllers, and why Zero Trust segmentation is needed to contain identity-core attacks.
Why it matters: It matters because IAM, PAM, and infrastructure teams share responsibility for the trust fabric that determines whether a single foothold becomes enterprise-wide compromise.
👉 Read Illumio's analysis of ransomware containment and Active Directory defence
Context
Ransomware containment fails when attackers can move from an initial foothold to the systems that govern trust, authentication, and permissions. In Active Directory environments, that means the domain controller becomes the real target because it defines who can access what across the enterprise. The primary problem is not encryption alone, but the attacker’s path to the identity core.
This is an identity governance problem as much as a security operations problem. If service accounts, authentication paths, and east-west connectivity remain broadly reachable, containment arrives too late and blast radius grows quickly. The article argues that Zero Trust segmentation and identity-aware visibility are required to stop that progression before domain controller compromise turns into enterprise takeover.
Key questions
Q: How should security teams protect Active Directory from ransomware lateral movement?
A: Security teams should protect Active Directory by limiting who and what can reach domain controllers, reducing flat east-west paths, and monitoring identity activity that signals reconnaissance or privilege expansion. The goal is to make the identity core difficult to discover, difficult to traverse, and easy to isolate before a foothold becomes enterprise compromise.
Q: Why does compromise of a domain controller create such a large ransomware blast radius?
A: Compromise of a domain controller is so dangerous because it exposes the system that issues and validates trust across the environment. Attackers can use that position to map accounts, permissions, and dependencies, then expand control far beyond the original intrusion point. That is why identity infrastructure must be treated as a containment boundary.
Q: What breaks when service accounts have broad reach into identity infrastructure?
A: When service accounts have broad reach into identity infrastructure, attackers can reuse those paths after initial access, move laterally with less friction, and reach systems that were never meant to be broadly accessible. Broad service-account reach turns normal operational trust into an attacker transport layer.
Q: Who is accountable for stopping ransomware before it reaches the identity core?
A: Accountability is shared across IAM, infrastructure, and security operations because the attack path crosses permissions, network reachability, and detection. If any one of those layers is too permissive, the attacker can continue moving toward the identity core. Governance should therefore cover both access scope and internal containment.
Technical breakdown
Why domain controllers are the ransomware prize
Domain controllers are the enforcement point for Active Directory, so they sit at the centre of trust relationships, authentication, and entitlement resolution. When attackers reach them, they do not need to compromise every endpoint. They can query accounts, inspect group memberships, harvest credentials, and understand which identities can reach critical systems. That makes the domain controller both a control plane and a treasure map. The exposure is not only data theft. It is the ability to extend privilege across the enterprise through the identity fabric itself.
Practical implication: treat the domain controller as a high-value identity asset, not a normal server, and restrict every path to it.
How lateral movement turns a small foothold into identity compromise
Ransomware crews often enter through a weak remote server, an unpatched system, or a credentialed account with too much reach. Once inside, they map the environment with ordinary-seeming activity such as domain trust checks, Kerberos queries, and service enumeration. Those actions rarely look catastrophic in isolation, but together they reveal the shortest route to the identity core. The problem is usually not one loud exploit. It is a sequence of permitted internal moves that were never meant to be chained together by an intruder.
Practical implication: monitor east-west movement and identity queries as a chain, not as isolated events.
Why Zero Trust segmentation matters around Active Directory
Zero Trust segmentation limits which systems and identities can talk to the domain controller, reducing the number of paths an attacker can use after initial entry. It works because ransomware operators depend on open internal connectivity and implicit trust between workloads. Segmentation does not stop every intrusion, but it narrows the blast radius and breaks the attacker’s easiest escalation route. In practical terms, this is about removing unnecessary reachability, especially from flat networks, legacy servers, and over-permissioned service accounts.
Practical implication: segment identity infrastructure so only explicitly required systems can reach Active Directory.
Threat narrative
Attacker objective: The attacker objective is to reach and compromise the identity core so a single foothold can be converted into broad control, extortion leverage, or full operational disruption.
- Entry began with a foothold in an exposed or weakly protected internal system, which gave attackers a way into the environment without immediately touching the domain controller.
- Escalation followed through lateral movement, identity reconnaissance, and privilege expansion until the attackers reached systems tied to Active Directory and its trust relationships.
- Impact came when the attackers exfiltrated identity data or disrupted the identity core, turning a contained intrusion into enterprise-wide outage and recovery pressure.
Breaches seen in the wild
- MITRE ATT&CK Enterprise Matrix — MITRE ATT&CK Enterprise — adversary tactics and techniques, threat detection, attack chain mapping, credential access, lateral movement, privilege escalation.
- Cisco Active Directory credentials breach — Kraken ransomware group leaked Cisco Active Directory credentials.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Identity-core compromise is the new ransomware centre of gravity: once attackers can reach Active Directory, they do not need to compromise the rest of the estate one asset at a time. The domain controller gives them trust relationships, account structure, and a path to privilege expansion that endpoint-centric defence cannot contain on its own. Practitioners should treat identity infrastructure as the primary containment boundary.
Flat east-west reachability is a governance failure, not just a network weakness: the article shows that attackers succeed when internal paths remain open between ordinary systems and domain controllers. That is a failure of segmentation policy, access scoping, and identity-aware routing. The practical conclusion is that lateral movement prevention belongs in identity governance as much as in network security.
Standing trust in service accounts is the failure mode ransomware crews exploit: old service accounts, broad permissions, and long-lived access make it easier for intruders to map and traverse the environment after the first foothold. This is not a theoretical NHI problem. It is the exact condition that turns a small intrusion into full compromise. Practitioners should prioritise accounts and paths that can reach the identity core without needing to.
Graph-based visibility is now a prerequisite for containment: logs alone do not show how accounts, workloads, and domain controllers depend on one another. The field needs relationship-aware visibility because attackers move through connections, not through alert queues. That means identity teams and security operations must share a common map of trust dependencies before the next ransomware crew uses them as an attack path.
From our research:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- From our research: Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs.
- Ransomware defence now depends on identity containment, not just detection, because trust relationships and exposed credentials determine how far an attacker can move.
- For a deeper view on breach patterns, see 52 NHI Breaches Analysis, which shows how identity exposure turns isolated incidents into enterprise events.
What this signals
Identity containment will become a board-level resilience metric: ransomware incidents that reach domain controllers expose how much an organisation still trusts internal reachability. Teams should expect segmentation, privilege scoping, and relationship-aware detection to be measured together rather than as separate programmes, especially where service accounts and shared infrastructure create hidden paths.
The governance lesson is straightforward. If identity systems can be reached from general-purpose networks, the organisation is still operating with implicit trust. The next phase of maturity is to combine least privilege, internal segmentation, and access-path mapping so that containment decisions can be made before the identity core is touched.
For practitioners
- Inventory every system that can reach Active Directory Map all workloads, admin paths, and service accounts that can communicate with domain controllers, then remove reachability that is not explicitly required for business function.
- Segment identity infrastructure from general east-west traffic Place domain controllers behind strict Zero Trust boundaries so ordinary servers, user segments, and legacy systems cannot traverse to them by default.
- Review service accounts that touch the identity core Identify old or over-permissioned service accounts, then reduce their permissions and eliminate direct paths to domain controllers where possible.
- Correlate identity queries with lateral movement signals Watch for unusual Kerberos activity, domain trust checks, and service enumeration in the same sequence, because those patterns often precede escalation toward the identity core.
- Contain suspected movement before the attacker reaches trust systems Use segmentation and isolation workflows that can cut off a compromised host before the intrusion chain completes its path to Active Directory.
Key takeaways
- Ransomware is increasingly an identity-core problem because attackers can turn domain controller reachability into enterprise-wide control.
- The evidence from recent incidents shows that a single foothold, followed by lateral movement, can produce outages, extortion pressure, and recovery failure at national scale.
- The control that matters most is containment around Active Directory, supported by segmentation, service-account review, and identity-aware visibility.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | The article centers on exposed identity paths and over-privileged non-human access. |
| MITRE ATT&CK | TA0008 , Lateral Movement; TA0006 , Credential Access; TA0004 , Privilege Escalation | The attack chain relies on movement, credential abuse, and escalation toward the domain controller. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions and internal reachability drive the containment gap described in the article. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege is the central control principle for reducing domain-controller exposure. |
| NIST Zero Trust (SP 800-207) | Zero Trust segmentation is the article's main containment model for identity infrastructure. |
Use AC-6 to constrain account reach, especially service accounts and administrative paths to the identity core.
Key terms
- Domain Controller: A domain controller is the server that stores, enforces, and validates identity information in Active Directory. It authenticates users and systems, applies trust decisions, and acts as a central control point for access across the environment.
- Lateral Movement: Lateral movement is the process an attacker uses to move from one internal system to another after the initial entry point is established. In identity-heavy environments, it often depends on trusted connectivity, weak segmentation, and accounts that can reach more systems than they should.
- Identity Core: The identity core is the set of systems and controls that decide who is trusted and what they can access, including Active Directory, domain controllers, and associated authentication services. If this layer is compromised, attackers inherit the mechanisms that govern the rest of the environment.
What's in the full article
Illumio's full blog covers the operational detail this post intentionally leaves for the source:
- How Illumio frames domain-controller segmentation in mixed cloud, data centre, and endpoint environments.
- Examples of lateral movement patterns and identity signals that the article associates with ransomware progress.
- The article's explanation of how graph-based visibility changes containment decisions in practice.
- The vendor's discussion of the Marks & Spencer and Change Healthcare cases in more operational detail.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2025-12-11.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org