Ransomware remains one of the most disruptive forms of cybercrime facing organisations today, with attacks continuing to increase in both frequency and impact. Modern ransomware operations are no longer limited to encrypting files on a single device. They are designed to spread rapidly across networks, disrupt critical services, and maximise leverage over the victim.

Attackers now routinely target shared infrastructure such as file servers, network shares, backups, and identity systems. Once initial access is gained, ransomware can enumerate mapped drives, access shared resources, and move laterally to encrypt or destroy data at scale. Many groups combine encryption with data theft, extortion, or deliberate data wiping to increase pressure on organisations to pay.

In enterprise environments, identity systems such as Active Directory are a primary enabler of this spread. When attackers gain privileged access, ransomware can be deployed across large parts of the organisation quickly and quietly, turning a single compromised device into a full-scale outage.

‍

Ransomware Spreading via Active Directory

Earlier ransomware campaigns such as LockerGoga and Samas were among the first to demonstrate how Active Directory could be abused to spread ransomware at scale. Rather than relying on custom-built malware propagation mechanisms, these attacks showed that existing enterprise identity infrastructure could be used to move laterally and deploy ransomware across large environments.

Windows Server Active Directory (AD) is Microsoft’s identity and access management platform, commonly deployed as part of a hybrid identity environment. It centralises user authentication, applies configuration and security policies, and controls access to servers, workstations, and applications. Because of this central role, Active Directory remains a high-value target for attackers.

When privileged access to Active Directory is compromised, attackers can enumerate users, devices, and services, and use legitimate administrative tools to distribute ransomware across the organisation. These techniques often resemble normal administrative activity, allowing ransomware to spread with little or no immediate detection.

Even in organisations that have hardened domain controllers, Active Directory can still be compromised through end-user devices joined to the domain. Poorly secured workstations, excessive privileges, or weak identity controls can allow attackers to turn a single compromised device into a domain-wide ransomware event.

‍

How to Prevent Ransomware Spreading via Active Directory

Ransomware attacks that use Active Directory for reconnaissance or propagation rely on privileged access to the directory. In many organisations, privileged AD accounts are poorly restricted, overused, or inadequately monitored, leaving the environment exposed to ransomware and other high-impact attacks.

Reducing the risk of ransomware spreading via Active Directory requires limiting how privileged access is granted, where it can be used, and how it is monitored. The following seven controls help protect privileged AD accounts and make it significantly harder for attackers to weaponise Active Directory:

1. Reduce privileged AD group membership
2. Restrict the use of privileged AD accounts
3. Establish a break glass account
4. Manage end-user devices using a local account
5. Protect privileged AD accounts with multi-factor authentication
6. Monitor Active Directory for unusual activity
7. Implement a tiered administration model for Active Directory

‍

1. Reduce Privileged AD Group Membership  

Microsoft recommends keeping privileged accounts in an Active Directory domain to an absolute minimum. While Domain Admins and Enterprise Admins are the most obvious high-risk groups, they are not the only ones. Groups such as Schema Admins also grant extensive control and are frequently overlooked.

Tip: Audit all privileged AD groups regularly and remove unnecessary members.

‍

2. Restrict the Use of Privileged AD Accounts  

Windows includes controls that reduce exposure of privileged credentials, such as the Protected Users group and Windows Defender Credential Guard. These controls are effective only when combined with strict operational discipline. Privileged AD accounts should be used exclusively on hardened systems intended for directory administration.

Tip: Use Privileged Access Workstations (PAWs) solely for tasks that require elevated AD privileges. Do not allow privileged accounts on standard user devices.

‍

3. Break Glass Account

A break glass account provides emergency access to Active Directory in scenarios such as outages, credential lockout, or identity system failure. This account should be tightly controlled, excluded from normal authentication policies where required, and never used for routine administration.

Tip: Regularly test, audit, and rotate break glass credentials. Log and review every use. If it is being used casually, it is not a break glass account.

‍

4 Manage End-User Devices Using a Local Account  

Microsoft now recommends limiting the use of domain accounts for managing end-user devices. Many organisations still grant remote access to client systems using domain user accounts, which increases the risk of Active Directory compromise if a device is breached.

If you use a solution to randomise and regularly rotate local administrator passwords on each device, such as Windows LAPS, you can avoid using domain accounts for routine remote support. Supporting end-user devices with local accounts reduces the likelihood that an attacker can escalate access into Active Directory.

Tip: Audit local administrator accounts and ensure each device has a unique local administrator password. Avoid using domain accounts for end-user device support wherever possible.

‍

5. Protect Privileged AD Accounts with Multifactor Authentication  

Passwords alone provide insufficient protection for privileged AD accounts. If credentials are stolen, attackers can reuse them without resistance. Microsoft states that multifactor authentication blocks the vast majority of automated credential-based attacks.

Multifactor authentication requires an additional factor beyond a password, such as a biometric prompt or a one-time passcode. Microsoft Entra ID MFA and compatible third-party solutions can be used to extend MFA protections to Active Directory environments.

Tip: Enforce MFA for all privileged AD accounts, including administrative and service accounts where supported.

‍

6. Monitor Active Directory for Unusual Activity  

Active Directory activity should be monitored for signs of misuse, just as endpoints are monitored for malicious processes. Windows Event Logs contain valuable signals that can indicate privilege abuse, reconnaissance, or lateral movement.

Security Information and Event Management (SIEM) platforms aggregate these logs and correlate them with threat intelligence to help identify suspicious behaviour early. While SIEM tools do not stop attacks on their own, they enable faster detection and response when supported by skilled monitoring and incident response processes.

Tip: Deploy SIEM with relevant threat intelligence and ensure events are actively monitored and acted upon.

‍

7.Implement a Tiered Administration Model for Active Directory  

A tiered administration model separates the management of high-risk systems from lower-risk environments to reduce attack paths. This approach limits how credentials can be exposed and reused across the domain.

• Tier 0 includes domain controllers, privileged AD accounts, and Privileged Access Workstations.
• Tier 1 covers servers, applications, and services.
• Tier 2 applies to end-user devices and support accounts.

This separation reduces the likelihood that a compromise of an end-user device can be escalated into full domain control.