Ransomware and identity recovery: are your controls ready?

TL;DR: 83% of successful attacks compromised identity infrastructure, while 76% of victims needed more than a day to return to normal operations and 52% of attacks landed on weekends or holidays, according to Semperis’ 2025 ransomware research. Recovery integrity, not just prevention, has become the board-level control that decides outage duration and business continuity.

NHIMG editorial — based on content published by Semperis: Ransomware risk, identity resilience, and what to change for 2026

By the numbers:

• 83% of successful ransomware attacks compromised identity infrastructure
• 76% of ransomware victims needed far more than a day to return to normal operations
• 52% of ransomware attacks hit on a weekend or holiday

Questions worth separating out

Q: What fails when ransomware reaches Active Directory or Entra ID?

A: When ransomware reaches identity infrastructure, the failure is not just encryption.

Q: Why do ransomware attacks cause longer outages than many teams expect?

A: Outages last longer when organisations can restore systems but not trust.

Q: How should security teams test identity recovery readiness?

A: Teams should rehearse restoration of identity infrastructure as a separate scenario, not fold it into general backup testing.

Practitioner guidance

• Make identity recovery a tier-0 control Place Active Directory and Entra ID recovery ahead of application restoration in the crisis plan, and define what a trusted state means for each directory component, trust, and admin tier.
• Test restoration against trust, not just availability Run recovery exercises that verify privilege integrity, synchronisation health, and residual persistence after restore, then document failures as control gaps rather than operational noise.
• Pre-authorise decision thresholds for low-coverage periods Set explicit escalation rules, out-of-band communications, and on-call responsibilities for weekends, holidays, and major corporate events so identity containment does not wait on consensus.

What's in the full article

Semperis' full report covers the operational detail this post intentionally leaves for the source:

• Executive visuals from the 2025 Ransomware Risk Report that break out identity compromise and recovery time by impact category
• Holiday-risk coverage data that shows how weekend and holiday timing changes the staffing and response picture
• Purple Knight posture benchmarks with remediation guidance, dates, and owners for measurable improvement
• Identity crisis management resources that show how to organise out-of-band coordination when identity is under attack

👉 Read Semperis' report on ransomware identity recovery and board-ready resilience →

Ransomware and identity recovery: are your controls ready?

Explore further

View Full Forum →  |  NHI Foundation Course →