The recent ransomware attacks on Marks & Spencer (M&S) and Co-op, two of the UK’s largest retailers, exposed a growing and dangerous trend: cybercriminal groups are targeting identity infrastructure—especially Active Directory (AD)—to quickly compromise entire environments.
Attributed to the Scattered Spider group, these attacks disrupted essential services, locked out users, and forced manual workarounds at scale.
Co-op’s systems were reportedly down for days, affecting both internal communications and customer-facing operations. M&S experienced a compromise of core Windows infrastructure, including the theft of the NTDS.dit file, which holds hashed credentials for the entire domain.
For IT and security teams, these breaches serve as a blueprint of how modern ransomware unfolds—and a warning of what’s at stake if AD isn’t secured.
How modern ransomware campaigns weaponize identity
The attack on M&S followed a familiar, highly effective pattern. Once inside the network, the threat actors located and exfiltrated the NTDS.dit file—the database containing all domain user credentials. Using offline cracking techniques, they converted these hashes into usable passwords, giving them unrestricted access to core systems.
In both cases, attackers escalated privileges rapidly and moved laterally using legitimate accounts and tools
At Co-op, although full technical details remain undisclosed, the impact was severe enough to disrupt internal workflows, payment systems, and store operations. In both cases, attackers escalated privileges rapidly and moved laterally using legitimate accounts and tools—minimizing detection.
These cases illustrate common weaknesses that attackers exploit:
- Weak passwords or reused credentials that are easy to crack offline
- No multi-factor authentication (MFA), making stolen passwords enough to gain access
- Excessive privileges, where even compromised user accounts can perform admin-level tasks
- Lack of real-time monitoring, allowing adversaries to move freely before triggering alerts
Why do cybercriminals target Active Directory for ransomware attacks?
Active Directory is the central nervous system for access across enterprise networks. It manages identity, authentication, access control, and user privleges across systems. Gaining control of AD gives attackers the keys to the kingdom — the ability to manipulate access, impersonate users, and disable defenses across the network.
When attackers gain access to AD, they can manipulate privileges, escalate rights, and move laterally across the network — often undetected until damage is done.
The recent wave of ransomware in April 2025, including the high-profile attacks on UK retailers, reflects a clear vulnerability: insufficient AD hardening. Many organizations still lack robust security and recovery plans for AD, leaving them exposed to devastating breaches.
To avoid this fate, security teams must take proactive steps to secure AD infrastructure.
How to protect Active Directory from ransomware in 2025
Here are four key steps organizations can take:
1. Avoid Domain Users in Local Admin Groups
Enforce least privilege and eliminate over-permissioned configurations that allow domain users unnecessary local admin rights — a major enabler of lateral movement.
2. Fortify RDP with Privileged access controls
Remote Desktop Protocol (RDP) remains a common entry point. Enforcing MFA and access control through a privileged access solution is essential to preventing brute-force and credential stuffing attacks.
3. Use Active Directory bridging across platforms
For hybrid environments spanning Windows, Linux, and Unix, Active Directory Bridging ensures consistent identity governance, allowing you to enforce least privilege controls across all systems.
4. Move Beyond Vaulting — Enforce Real-Time Access Controls
Vaulting credentials is an essential first step. But to truly stop attacks like those seen at M&S and Co-op, organizations need to go further.
Break the attack chain with a trusted PAM provider
The M&S and Co-op breaches are proof that identity infrastructure is now a top target. Ransomware groups are getting faster, stealthier, and more focused—and Active Directory is almost always part of the plan.
Implementing effective Active Directory security and privileged access controls can be complex and resource-intensive, especially for lean IT teams already stretched thin. Partnering with a trusted PAM provider like Delinea can help you accelerate your security initiatives and reduce risk.
Delinea’s Privilege Control for Servers (PCS) provides a powerful combination of Active Directory bridging and privileged access enforcement to help organizations secure their most critical infrastructure across Windows, Linux, and Unix environments.
PCS enables centralized identity management through advanced AD bridging, delivering real-time visibility across site topologies, domain controllers, and user activity. This allows for consistent access policies and deeper insight at the server level.
Beyond visibility, PCS delivers the access control needed to stop modern threats in their tracks. With PCS, you can:
- Enforce MFA at every server logon
- Prevent unauthorized lateral movement and privilege elevation
- Control access and elevation independently of Active Directory, making it impossible for attackers to exploit native AD privileges
With PCS, you can enforce least privilege, monitor privileged sessions in real time, and break the ransomware attack chain before it starts.
To further strengthen your Active Directory security posture, Delinea’s Continuous Infrastructure Discovery (CID) for Active Directory provides a critical third layer of defense. It enables organizations to continuously monitor for emerging risks, such as new or hidden privileged accounts that could bypass PAM controls.
A recommended three-step strategy:
- 1. Vault the domain admin accounts using the Delinea Platform
- 2. Protect Active Directory servers with Privilege Control for Servers (PCS)
- 3. Monitor for new domain and shadow admins—especially those attempting to bypass PAM—using CID for Active Directory
This layered defense approach delivers end-to-end protection — from locking down credentials, to controlling access in real time, to detecting suspicious privilege escalation before it becomes a breach.
Don't wait until it's too late. Take proactive steps to harden your Active Directory environment and protect your organization from devastating ransomware attacks. Request a trial of Delinea Privilege Control for Servers today to see how it can help you secure privileged access and keep threat actors at bay.
Seamlessly extend privileged access—everywhere
