Skip to content

Securing Active Directory to Reduce Ransomware Attacks: A Quick Primer


Ransomware attacks are increasing in size and complexity, putting organizations across all industries at risk for account lockouts, extortion attempts, and data loss. In fact, the latest research indicates ransomware attacks are up by 80% year-over-year.

Most ransomware families are now using powerful ransomware as-a-service tools

In large part, this is because most ransomware families—the code signatures and malicious commands that carry out ransomware attacks—are now using powerful ransomware-as-a-service tools, which make it much easier to facilitate attacks.

In an alarming development, cybercriminals are increasingly targeting Microsoft—Active Directory—a serious threat that could grant network ownership rights to an intruder.

Read on to learn more about the link between ransomware and Active Directory, as well as some actionable tips that you can use to harden your environment from Active Directory ransomware attacks.

Why cybercriminals target Active Directory for ransomware attacks

The main reason cybercriminals target Active Directory is that it serves as a gateway to the rest of the network as a service for managing, networking, grouping, authenticating, and securing users across corporate domain networks.

Users and computers rely on Active Directory to access various network resources. As such, cybercriminals understand that ransomware attacks on Active Directory can wreak havoc on any organization, making it an excellent extortion mechanism.

Ransomware Defense Toolkit

6-in-1 Toolkit for Ransomware Defense

Get everything you need to know to prepare, prevent, and contain ransomware in one place.

Does ransomware encrypt Active Directory?

Ransomware doesn’t encrypt Active Directory itself. Rather, it uses Active Directory to access and encrypt connected hosts and domain-joined systems. Two popular ransomware families that target AD include Lock Bit 2.0 and BlackMatter.

In a typical Active Directory ransomware attack, bad actors attempt to gain network access by fishing for user credentials, escalating privileges, and moving vertically into the server network. The end goal is to obtain administrative access rights and compromise a domain controller.

If an attacker is successful, they essentially own the network and gain access to all its various servers and data. Domain controllers host a copy of the Active Directory Domain Services (AD DS), which is a schema with all the objects Active Directory stores and delivers authorization and authentication services for.

Despite this clear and present threat, many companies still lack Active Directory security and recovery plans. This makes recovering from a ransomware attack very difficult.

To avoid that fate, companies should strongly consider taking active measures to harden their Active Directory deployments and protect them from sophisticated ransomware attacks.

How to protect Active Directory from ransomware attacks

As we point out in our Active Directory hardening whitepaper, there are multiple common Active Directory misconfigurations that hackers look to exploit. As such, security teams need to build a comprehensive Active Directory strategy that encompasses multiple areas.

With that in mind, let’s examine a few strategies you can use to protect your Active Directory from ransomware attacks.

1. Avoid adding Domain Users to the Local Administrator Group

Hackers often try to discover misconfigurations and networked systems with Domain Users in the Local Administrator group. This strategy enables bad actors to move laterally within a network, elevating credentials along the way.

For this reason, it’s a good idea to avoid adding Domain Users to the Local Administrator group in the first place. Instead, least privilege access controls with just-in-time privilege elevation to give admins limited elevated rights only when necessary. You should also scan continuously to detect and eliminate potential misconfigurations.

2. Fortify your Remote Desktop Protocol

It’s also common for attackers to try to brute-force weak credentials for endpoints using Remote Desktop Protocol (RDP). Brute-force entry can allow hackers to gain complete access to a remote system.

To protect against brute-force RDP attacks, you should always deploy strong multi-factor authentication and privileged access security. We also advise scanning continuously for brute-force attempts to detect and eliminate incoming threats and prevent them from cascading across the network.

3. Use Active Directory Bridging

Active Directory Bridging is a feature that enables users to access non-Windows operating systems using Active Directory credentials. This feature allows Active Directory to work with Linux, Windows, and Unix IT systems and devices.

Bridging boosts Active Directory ransomware protection by eliminating local identity sprawl. Users then authenticate (See What is Active Directory Authentication) to all systems using an individual Active Directory identity. This significantly reduces the attack surface by creating fewer entry points for attackers. It also simplifies access compliance reporting.

In addition, bridging helps establish a unified privileged access management (PAM) strategy with centralized cross-platform access policy administration, tight access, privilege control, and identity consolidation. When it comes down to it, unified PAM is critical for preventing Active Directory ransomware attacks.

Break the ransomware attack chain with Delinea

Many companies use Active Directory bridging solutions that provide surface-level visibility and control. In other words, basic Active Directory bridging solutions lack the intelligence needed to see and navigate all forests, trees, domains, and nested groups within an Active Directory environment.

Delinea offers advanced Active Directory bridging through the Server Suite, which is an on-prem PAM service for Linux, Unix, and Windows systems. Server Suite leverages the Active Directory Global Catalog to achieve real-time awareness across site topologies and domain controllers. Server Suite also simplifies identity access management and makes it easier to enforce the principle of least privilege and gain deeper visibility at the server level.

To learn more about how Server Suite can help you keep bad actors away from Active Directory, request a trial today.

More Ransomware Resources:

Conversational Server Access Security

Servers are targeted by cybercriminals looking to exploit weaknesses in your server security

Act now to protect your servers from cyberattack.