Reports Point to Domain Controllers as Prime Ransomware Targets
A recent report from Microsoft reinforces warns of the critical role Active Directory (AD) domain controllers play in large-scale ransomware attacks, aligning with U.S. government advisories on the persistent threat of AD compromise.
In a blog post, Alon Rosental, Microsoft partner director of product management for endpoint security, detailed how attackers exploit domain controllers to escalate privileges and propagate ransomware, enabling widespread network disruption. The findings mirror a joint report (PDF) between National Security Agency and the Australian government released in late 2024, which called domain controller exploitation a real concern for enterprises.
"Active Directory can be misused by malicious actors to establish persistence in organizations," read the report. "Some persistence techniques allow malicious actors to log in to organizations remotely, even bypassing multi-factor authentication (MFA) controls."
Microsoft and the NSA both emphasize that domain controllers serve as a linchpin for attackers seeking to scale ransomware operations. Domain controllers are responsible for authenticating users, managing Group Policy and maintaining the AD database, making them uniquely powerful targets.
Microsoft's internal data shows that more than 78% of human-operated ransomware attacks involve domain controller breaches, with 35% of incidents using the domain controller as the primary system to distribute ransomware payloads.
The company recounted a recent incident where attackers targeted a small manufacturer with Akira ransomware. After securing domain admin credentials, they used Remote Desktop Protocol (RDP) to access the domain controller, initiating reconnaissance, policy tampering, and privilege escalation.
However, Microsoft Defender for Endpoint's automatic attack disruption detected the attack chain in real time. Per Rosental:
"To address this challenge, Defender for Endpoint introduced contain high value assets (HVA), an expansion of our contain device capability designed to automatically contain HVAs like domain controllers in a granular manner. This feature builds on Defender for Endpoint's capability to classify device roles and criticality levels to deliver a custom, role-based containment policy, meaning that if a sensitive device, such a domain controller, is compromised, it is immediately contained in less than three minutes, preventing the cyberattacker from moving laterally and deploying ransomware, while at the same time maintaining the operational functionality of the device."
The NSA recommends organizations implement Tiered Administrative Models, enforce Least Privilege principles, and conduct routine AD hygiene assessments, including auditing privileged groups and monitoring service account behaviors.