Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Identity-first ransomware in manufacturing: are AD controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Ransomware affected 78% of respondents in the past year and 83% of attacks on global manufacturing organisations compromised identity infrastructure, according to Semperis, with Foxconn used as a current example of how identity-first intrusion can precede exfiltration, domain dominance, and recovery disruption. Recovery speed matters less than proving AD can be restored to a clean state.

NHIMG editorial — based on content published by Semperis: why ransomware hits identity first and how the identity-first kill chain works

By the numbers:

Questions worth separating out

Q: What breaks when ransomware reaches Active Directory first?

A: When ransomware reaches Active Directory first, the attacker often gains the control plane for access, privilege, and trust.

Q: Why does identity compromise make ransomware harder to recover from?

A: Identity compromise makes recovery harder because the directory can preserve attacker access even after affected servers are rebuilt.

Q: How should manufacturers reduce identity-led ransomware risk?

A: Manufacturers should reduce risk by mapping privileged identity paths, removing standing access from service and admin accounts, and validating that backup recovery does not depend on compromised identity state.

Practitioner guidance

  • Map identity attack paths into production scope Use directory-specific visibility to trace how a standard account could reach domain-admin equivalents, backup controllers, or plant-critical systems.
  • Remove standing privilege from service and admin accounts Review Kerberoastable accounts, unconstrained delegation, stale administrators, and broad ACLs.
  • Validate clean recovery for Active Directory Test whether the forest can be rebuilt without restoring attacker persistence, and confirm that backups, privileged groups, and domain controller state are trusted before declaring recovery complete.

What's in the full article

Semperis's full analysis covers the operational detail this post intentionally leaves for the source:

  • Step-by-step identity-first attack progression in manufacturing environments, including how attackers move from credential access to domain control.
  • Tooling details for Purple Knight, Forest Druid, Directory Services Protector, and Active Directory Forest Recovery.
  • Recovery process guidance for proving a clean forest rebuild rather than a fast but untrusted restore.
  • Control-area breakdowns for AD delegation, hybrid identity monitoring, and backup validation in production environments.

👉 Read Semperis' analysis of identity-first ransomware in manufacturing →

Identity-first ransomware in manufacturing: are AD controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Identity-first ransomware succeeds because Active Directory is treated as infrastructure, not as the trust anchor. That assumption fails in manufacturing because the directory is the control plane for production access, backup access, and escalation paths across hybrid environments. When identity is compromised, the attacker does not need to break into every downstream system one by one. The implication is that identity governance has to be treated as operational resilience, not just account administration.

A few things that frame the scale:

  • 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, according to 2024 ESG Report: Managing Non-Human Identities.
  • Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, which shows how often identity compromise becomes repeat intrusion.

A question worth separating out:

Q: Who is accountable when identity-first ransomware interrupts production?

A: Accountability sits across identity, infrastructure, backup, and operational resilience teams because the failure is a shared trust layer. The right ownership model treats AD and related identity services as part of business continuity, with clear recovery criteria, tested runbooks, and executive oversight for privileged access and restoration readiness.

👉 Read our full editorial: Identity-first ransomware in manufacturing exposes AD as the attack surface



   
ReplyQuote
Share: