Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Active Directory MFA gaps: what ransomware teams miss


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9773
Topic starter  

TL;DR: Financial services ransomware remains stubbornly common, with Sophos reporting that 65% of surveyed organisations were affected in 2024, while the article argues that inconsistent MFA, weak privilege controls, and limited AD monitoring still leave authentication gaps attackers can exploit. The core issue is not the existence of controls, but their uneven application across accounts and access paths.

NHIMG editorial — based on content published by IS Decisions: MFA gaps in Active Directory ransomware defence

By the numbers:

Questions worth separating out

Q: How should teams enforce MFA consistently across Active Directory accounts?

A: Start by identifying every account that can authenticate into AD, including admin, service, break-glass, and remote-access accounts.

Q: Why do compromised credentials still lead to ransomware in well-defended networks?

A: Because many environments protect initial login better than they protect post-authentication movement.

Q: What do security teams get wrong about MFA in hybrid Windows environments?

A: They often treat MFA as a sign-in project instead of an access-governance control.

Practitioner guidance

  • Audit MFA coverage across every AD account Inventory all interactive, administrative, service, and exception accounts, then verify that MFA is enforced consistently across primary sign-in and privileged access paths.
  • Protect privilege elevation separately Require step-up verification for Windows UAC prompts and any other path that raises privilege after initial authentication, rather than assuming the first login is enough.
  • Constrain stolen-session utility Use contextual access rules to limit concurrent sessions, high-risk device combinations, and anomalous location or session-type patterns so a compromised credential cannot roam freely.

What's in the full article

IS Decisions' full article covers the operational detail this post intentionally leaves for the source:

  • Configuration guidance for applying MFA alongside existing Active Directory policies
  • Examples of contextual controls for device, geolocation, session type, and concurrent sessions
  • Details on how session-based alerts and monitoring work in an on-prem Windows network
  • Practical discussion of how to reduce lateral movement risk during privilege elevation

👉 Read IS Decisions' analysis of MFA gaps in Active Directory ransomware defence →

Active Directory MFA gaps: what ransomware teams miss?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9257
 

Standing authentication exceptions are the real ransomware liability. The article shows that MFA exists in many environments but is applied unevenly, especially where legacy AD estates create friction. That means the problem is not control absence alone, but policy drift across accounts, elevation paths, and hybrid access. For IAM leaders, the lesson is that every exception becomes part of the attack surface.

A few things that frame the scale:

  • 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.

A question worth separating out:

Q: Who is accountable when a stolen credential is used to trigger ransomware through Active Directory?

A: Accountability sits with the teams that own identity policy, privileged access, and exception management, not just endpoint security. If MFA coverage is incomplete or elevation paths are unprotected, identity governance owns part of the failure. Frameworks such as NIST CSF and zero trust architecture expect access to be continuously verified, not assumed safe after first login.

👉 Read our full editorial: MFA gaps in Active Directory keep ransomware risk high



   
ReplyQuote
Share: