TL;DR: Ransomware crews are increasingly targeting Active Directory and domain controllers because compromise of the identity core turns a local foothold into broad enterprise control, as illustrated by Marks & Spencer and Change Healthcare, according to Illumio. Identity-layer containment, not just endpoint defense, now defines whether lateral movement becomes full compromise.
NHIMG editorial — based on content published by Illumio: Ransomware Containment Beyond the Gate, Zero Trust and the Defense of Active Directory
Questions worth separating out
Q: How should security teams protect Active Directory from ransomware lateral movement?
A: Security teams should protect Active Directory by limiting who and what can reach domain controllers, reducing flat east-west paths, and monitoring identity activity that signals reconnaissance or privilege expansion.
Q: Why does compromise of a domain controller create such a large ransomware blast radius?
A: Compromise of a domain controller is so dangerous because it exposes the system that issues and validates trust across the environment.
Q: What breaks when service accounts have broad reach into identity infrastructure?
A: When service accounts have broad reach into identity infrastructure, attackers can reuse those paths after initial access, move laterally with less friction, and reach systems that were never meant to be broadly accessible.
Practitioner guidance
- Inventory every system that can reach Active Directory Map all workloads, admin paths, and service accounts that can communicate with domain controllers, then remove reachability that is not explicitly required for business function.
- Segment identity infrastructure from general east-west traffic Place domain controllers behind strict Zero Trust boundaries so ordinary servers, user segments, and legacy systems cannot traverse to them by default.
- Review service accounts that touch the identity core Identify old or over-permissioned service accounts, then reduce their permissions and eliminate direct paths to domain controllers where possible.
What's in the full article
Illumio's full blog covers the operational detail this post intentionally leaves for the source:
- How Illumio frames domain-controller segmentation in mixed cloud, data centre, and endpoint environments.
- Examples of lateral movement patterns and identity signals that the article associates with ransomware progress.
- The article's explanation of how graph-based visibility changes containment decisions in practice.
- The vendor's discussion of the Marks & Spencer and Change Healthcare cases in more operational detail.
👉 Read Illumio's analysis of ransomware containment and Active Directory defence →
Active Directory under ransomware pressure: what IAM teams should know?
Explore further
Identity-core compromise is the new ransomware centre of gravity: once attackers can reach Active Directory, they do not need to compromise the rest of the estate one asset at a time. The domain controller gives them trust relationships, account structure, and a path to privilege expansion that endpoint-centric defence cannot contain on its own. Practitioners should treat identity infrastructure as the primary containment boundary.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs.
A question worth separating out:
Q: Who is accountable for stopping ransomware before it reaches the identity core?
A: Accountability is shared across IAM, infrastructure, and security operations because the attack path crosses permissions, network reachability, and detection. If any one of those layers is too permissive, the attacker can continue moving toward the identity core. Governance should therefore cover both access scope and internal containment.
👉 Read our full editorial: Ransomware containment depends on defending the identity core