Reports Point to Domain Controllers as Prime Ransomware Targets

A recent report from Microsoft reinforces warns of the critical role Active Directory (AD) domain controllers play in large-scale ransomware attacks, aligning with U.S. government advisories on the persistent threat of AD compromise.

In a blog post, Alon Rosental, Microsoft partner director of product management for endpoint security, detailed how attackers exploit domain controllers to escalate privileges and propagate ransomware, enabling widespread network disruption. The findings mirror a joint report (PDF) between National Security Agency and the Australian government released in late 2024, which called domain controller exploitation a real concern for enterprises.

"Active Directory can be misused by malicious actors to establish persistence in organizations," read the report. "Some persistence techniques allow malicious actors to log in to organizations remotely, even bypassing multi-factor authentication (MFA) controls."

Microsoft and the NSA both emphasize that domain controllers serve as a linchpin for attackers seeking to scale ransomware operations. Domain controllers are responsible for authenticating users, managing Group Policy and maintaining the AD database, making them uniquely powerful targets.

Microsoft's internal data shows that more than 78% of human-operated ransomware attacks involve domain controller breaches, with 35% of incidents using the domain controller as the primary system to distribute ransomware payloads.

The company recounted a recent incident where attackers targeted a small manufacturer with Akira ransomware. After securing domain admin credentials, they used Remote Desktop Protocol (RDP) to access the domain controller, initiating reconnaissance, policy tampering, and privilege escalation.

However, Microsoft Defender for Endpoint's automatic attack disruption detected the attack chain in real time. Per Rosental:

"To address this challenge, Defender for Endpoint introduced contain high value assets (HVA), an expansion of our contain device capability designed to automatically contain HVAs like domain controllers in a granular manner. This feature builds on Defender for Endpoint's capability to classify device roles and criticality levels to deliver a custom, role-based containment policy, meaning that if a sensitive device, such a domain controller, is compromised, it is immediately contained in less than three minutes, preventing the cyberattacker from moving laterally and deploying ransomware, while at the same time maintaining the operational functionality of the device."

The NSA recommends organizations implement Tiered Administrative Models, enforce Least Privilege principles, and conduct routine AD hygiene assessments, including auditing privileged groups and monitoring service account behaviors.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

Featured

  • geometric pattern featuring interconnected circuit-like lines, neural network nodes, and abstract technology symbols

    Innovate Tech X Launches Certified AI Engineer Pathway Program for High School Students

    Tech training provider Innovate Tech X has introduced a new Certified AI Engineer Pathway Program designed to help high school students attain in-demand skills and certifications in artificial intelligence.

  • smartphone with a glowing lock and shield icon at its center, surrounded by floating security symbols like a fingerprint, key, and authentication checkmark

    Jamf to Acquire Identity Automation, Pairing Identity and Device Management in One Platform

    Apple mobile device management company Jamf has announced it will acquire Identity Automation, a provider of identity and access management (IAM) solutions for K-12 and higher education.

  • teacher

    6 Policy Recommendations for Adopting AI in the Classroom

    The Southern Regional Education Board's Commission on AI in Education has published six recommendations on adopting artificial intelligence in schools, colleges, and universities. The guidance marks the commission's first release since it was established last February, with more recommendations planned in the coming year.

  • The AI Show

    Register for Free to Attend the World's Greatest Show for All Things AI in EDU

    The AI Show @ ASU+GSV, held April 5–7, 2025, at the San Diego Convention Center, is a free event designed to help educators, students, and parents navigate AI's role in education. Featuring hands-on workshops, AI-powered networking, live demos from 125+ EdTech exhibitors, and keynote speakers like Colin Kaepernick and Stevie Van Zandt, the event offers practical insights into AI-driven teaching, learning, and career opportunities. Attendees will gain actionable strategies to integrate AI into classrooms while exploring innovations that promote equity, accessibility, and student success.