TL;DR: Healthcare ransomware attacks spiked 30% in 2025, and the article argues that Active Directory remains a prime target because compromising a domain controller can enable lateral movement, privilege escalation, and disruptive encryption, according to IS Decisions. The deeper issue is that AD’s monitoring gaps and weak contextual controls leave security teams seeing compromise only after the attacker has already expanded.
NHIMG editorial — based on content published by IS Decisions: Active Directory security against ransomware in healthcare environments
By the numbers:
Questions worth separating out
Q: What breaks when Active Directory is not closely monitored during a ransomware attack?
A: When Active Directory is not closely monitored, attackers can enumerate accounts, identify privilege paths, and move laterally long before defenders realise the directory has been compromised.
Q: Why does Active Directory compromise increase ransomware blast radius so quickly?
A: Active Directory increases blast radius because it centralises identity, group membership, and trust relationships.
Q: How should security teams reduce lateral movement through Active Directory?
A: Security teams should combine MFA, contextual access restrictions, and account-level monitoring on every path into AD, especially remote access and privileged administration.
Practitioner guidance
- Harden domain controller access paths Restrict exposure of VPN, RDP, IIS, and other public entry points that can be used to establish a bridgehead, and enforce MFA on every remote authentication path.
- Monitor directory reconnaissance early Alert on unusual domain administrator lookups, service account enumeration, and abnormal access from low-privilege accounts so reconnaissance is visible before escalation.
- Apply contextual session restrictions Use device, IP range, workstation, department, and connection-type restrictions to reduce where a stolen session can be reused inside AD.
What's in the full article
IS Decisions' full article covers the operational detail this post intentionally leaves for the source:
- How UserLock applies MFA on top of existing AD policies without reconfiguring domain policy design
- The specific session and contextual control options available for workstation, device, IP range, OU, department, country, and time
- Alert tuning examples for blocked logons, MFA rejections, and unusual access patterns
- The vendor's practical explanation of how its controls aim to reduce lateral movement risk in on-premise AD
👉 Read IS Decisions' analysis of Active Directory defence against ransomware →
Active Directory defence: what healthcare IAM teams are missing?
Explore further
Active Directory blindness is the real failure mode here. The article shows that attackers do not need a novel exploit when they can operate inside a directory environment with weak visibility, broad read access, and delayed detection. Once AD compromise becomes visible only after lateral movement has started, the programme has already lost its best containment opportunity. The practical conclusion is that directory observability is a governance control, not a monitoring add-on.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: Who is accountable when Active Directory security failures disrupt healthcare operations?
A: Accountability should sit with both identity governance and infrastructure security leadership, because AD is a shared control plane rather than a single-team asset. Healthcare organisations also need continuity owners involved, since directory outages affect patient-facing services and not only technical access. That makes AD resilience a cross-functional obligation.
👉 Read our full editorial: Active Directory blindness leaves healthcare ransomware with room to move