Identity-first ransomware in manufacturing: are AD controls keeping up?

TL;DR: Ransomware affected 78% of respondents in the past year and 83% of attacks on global manufacturing organisations compromised identity infrastructure, according to Semperis, with Foxconn used as a current example of how identity-first intrusion can precede exfiltration, domain dominance, and recovery disruption. Recovery speed matters less than proving AD can be restored to a clean state.

NHIMG editorial — based on content published by Semperis: why ransomware hits identity first and how the identity-first kill chain works

By the numbers:

• 78% of respondents revealed they were targeted by ransomware in the previous 12 months.
• 83% of ransomware attacks on global manufacturing organizations compromised identity infrastructure.
• 96% of global organization say they have a cyber crisis response plan.

Questions worth separating out

Q: What breaks when ransomware reaches Active Directory first?

A: When ransomware reaches Active Directory first, the attacker often gains the control plane for access, privilege, and trust.

Q: Why does identity compromise make ransomware harder to recover from?

A: Identity compromise makes recovery harder because the directory can preserve attacker access even after affected servers are rebuilt.

Q: How should manufacturers reduce identity-led ransomware risk?

A: Manufacturers should reduce risk by mapping privileged identity paths, removing standing access from service and admin accounts, and validating that backup recovery does not depend on compromised identity state.

Practitioner guidance

• Map identity attack paths into production scope Use directory-specific visibility to trace how a standard account could reach domain-admin equivalents, backup controllers, or plant-critical systems.
• Remove standing privilege from service and admin accounts Review Kerberoastable accounts, unconstrained delegation, stale administrators, and broad ACLs.
• Validate clean recovery for Active Directory Test whether the forest can be rebuilt without restoring attacker persistence, and confirm that backups, privileged groups, and domain controller state are trusted before declaring recovery complete.

What's in the full article

Semperis's full analysis covers the operational detail this post intentionally leaves for the source:

• Step-by-step identity-first attack progression in manufacturing environments, including how attackers move from credential access to domain control.
• Tooling details for Purple Knight, Forest Druid, Directory Services Protector, and Active Directory Forest Recovery.
• Recovery process guidance for proving a clean forest rebuild rather than a fast but untrusted restore.
• Control-area breakdowns for AD delegation, hybrid identity monitoring, and backup validation in production environments.

👉 Read Semperis' analysis of identity-first ransomware in manufacturing →

Identity-first ransomware in manufacturing: are AD controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →