{"id":138286,"date":"2025-04-09T09:00:00","date_gmt":"2025-04-09T16:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=138286"},"modified":"2025-04-15T16:17:50","modified_gmt":"2025-04-15T23:17:50","slug":"how-cyberattackers-exploit-domain-controllers-using-ransomware","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/04\/09\/how-cyberattackers-exploit-domain-controllers-using-ransomware\/","title":{"rendered":"How cyberattackers exploit domain controllers using ransomware"},"content":{"rendered":"\n<p>In recent years, human-operated cyberattacks have undergone a dramatic transformation. These attacks, once characterized by sporadic and opportunistic attacks, have evolved into highly sophisticated, targeted campaigns aimed at causing maximum damage to organizations, with the average cost of a ransomware attack reaching $9.36 million in 2024.<sup>1<\/sup> A key catalyst to this evolution is the rise of ransomware as a primary tool for financial extortion\u2014an approach that hinges on crippling an organization\u2019s operations by encrypting critical data and demanding a ransom for its release. <a href=\"https:\/\/www.microsoft.com\/security\/business\/endpoint-security\/microsoft-defender-endpoint\">Microsoft Defender for Endpoint<\/a>&nbsp;disrupts ransomware attacks in an average of three minutes, only kicking in when more than 99.99% confident&nbsp;in the presence of a cyberattack.<\/p>\n\n\n\n<div class=\"wp-block-buttons is-content-justification-center is-layout-flex wp-container-core-buttons-is-layout-1 wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button has-custom-width wp-block-button__width-75 btn-primary\"><a class=\"wp-block-button__link wp-element-button\" href=\"https:\/\/www.microsoft.com\/security\/business\/endpoint-security\/microsoft-defender-endpoint\">Disrupt ransomware with Microsoft Defender for Endpoint<\/a><\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"the-evolution-of-ransomware-attacks\">The evolution of ransomware attacks<\/h2>\n\n\n<div class=\"wp-block-msxcm-kicker-container\">\n\t<div class=\" wp-block-msxcm-kicker-block wp-block-msxcm-kicker--align-right\" data-bi-an=\"Kicker Right\">\n\t\t<p class=\"wp-block-msxcm-kicker__title small text-neutral-400 text-uppercase\">\n\t\t\tWhat is ransomware?\t\t<\/p>\n\t\t<a\n\t\t\tclass=\"wp-block-msxcm-kicker__cta btn btn-link p-0 text-decoration-none\"\n\t\t\thref=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/security-101\/what-is-ransomware\"\n\t\t\t\t\t>\n\t\t\t<span>Learn more<\/span> <span class=\"glyph-append glyph-append-xsmall wp-block-msxcm-kicker__glyph glyph-append-go\"><\/span>\n\t\t<\/a>\n\t<\/div>\n<\/div>\n\n\n\n<p>Modern ransomware campaigns are meticulously planned. Cyberattackers understand that their chances of securing a ransom increase significantly if they can inflict widespread damage across a victim\u2019s environment. The rationale is simple: paying the ransom becomes the most viable option when the alternative\u2014restoring the environment and recovering data\u2014is technically unfeasible, time-consuming, and costly. <\/p>\n\n\n\n<p>This level of damage happens in minutes and even seconds, where bad actors embed themselves within an organization\u2019s environment, laying the groundwork for a coordinated cyberattack that can encrypt dozens, hundreds, or even thousands of devices within <strong>minutes<\/strong>. To execute such a campaign, threat actors must overcome several challenges such as evading protection, mapping the network, maintaining their code execution ability, and preserving persistency in the environment, building their way to securing <strong>two major prerequisites<\/strong> necessary to execute ransomware on multiple devices simultaneously:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>High-privilege accounts<\/strong>: Whether cyberattackers choose to drop files and encrypt the devices locally or perform remote operations over the network, they must obtain the ability to authenticate to a device. In an on-premises environment, cyberattackers usually target domain admin accounts or other high-privilege accounts, as those can authenticate to the most critical resources in the environment.  <\/li>\n\n\n\n<li><strong>Access to central network assets<\/strong>: To execute the ransomware attack as fast and as wide as possible, threat actors aim to achieve access to a central asset in the network that is exposed to many endpoints. Thus, they can leverage the possession of high-privilege accounts and connect to all devices visible in their line of sight.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"the-role-of-domain-controllers-in-ransomware-campaigns\">The role of domain controllers in ransomware campaigns<\/h2>\n\n\n\n<p>Domain controllers are the backbone of any on-premises environment, managing identity and access through Active Directory (AD). They play a pivotal role in enabling cyberattackers to achieve their goals by fulfilling two critical requirements: <\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"1-compromising-highly-privileged-accounts\">1. Compromising highly privileged accounts<\/h3>\n\n\n\n<p>Domain controllers house the AD database, which contains sensitive information about all user accounts, including highly privileged accounts like domain admins. By compromising a domain controller, threat actors can: <\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Extract password hashes<\/strong>: Dumping the NTDS.dit file allows cyberattackers to obtain password hashes for every user account.  <\/li>\n\n\n\n<li><strong>Create and elevate privileged accounts<\/strong>: Cyberattackers can generate new accounts or manipulate existing ones, assigning them elevated permissions, ensuring continued control over the environment.  <\/li>\n<\/ul>\n\n\n\n<p>\n  With these capabilities, cyberattackers can authenticate as highly privileged users, facilitating lateral movement across the network. This level of access enables them to deploy ransomware on a scale, maximizing the impact of their attack.\n<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"2-exploiting-centralized-network-access\">2. Exploiting centralized network access<\/h3>\n\n\n\n<p>\n  Domain controllers handle crucial tasks like authenticating users and devices, managing user accounts and policies, and keeping the AD database consistent across the network. Because of these important roles, many devices need to interact with domain controllers regularly to ensure security, efficient resource management, and operational continuity. That&#8217;s why domain controllers need to be central in the network and accessible to many endpoints, making them a prime target for cyberattackers looking to cause maximum damage with ransomware attacks.\n<\/p>\n\n\n\n<p>\n  Given these factors, it\u2019s no surprise that domain controllers are frequently at the center of ransomware operations. Cyberattackers consistently target them to gain privileged access, move laterally, and rapidly deploy ransomware across an environment. We\u2019ve seen in <strong>more than 78% of human-operated cyberattacks, threat actors successfully breach a domain controller<\/strong>. Additionally, <strong>in more than 35% of cases, the primary spreader device\u2014the system responsible for distributing ransomware at scale\u2014is a domain controller,<\/strong> highlighting its crucial role in enabling widespread encryption and operational disruption.\n<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"case-study-ransomware-attack-using-a-compromised-domain-controller\">Case study: Ransomware attack using a compromised domain controller<\/h2>\n\n\n\n<p>In one notable case, a small-medium manufacturer fell victim to a well-known, highly skilled threat actor attempting to execute a widespread Akira ransomware attack: <\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/SecurityBlog_Ransomwaregraphic-Edited-Slide-for-ransmoware-blog-2-1024x576.webp\" alt=\"How Microsoft Defender for Endpoint's automatic attack disruption helped contain a widespread ransomware attack.\" class=\"wp-image-138490 webp-format\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/SecurityBlog_Ransomwaregraphic-Edited-Slide-for-ransmoware-blog-2-1024x576.webp 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/SecurityBlog_Ransomwaregraphic-Edited-Slide-for-ransmoware-blog-2-300x169.webp 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/SecurityBlog_Ransomwaregraphic-Edited-Slide-for-ransmoware-blog-2-768x432.webp 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/SecurityBlog_Ransomwaregraphic-Edited-Slide-for-ransmoware-blog-2-615x346.webp 615w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/SecurityBlog_Ransomwaregraphic-Edited-Slide-for-ransmoware-blog-2-336x189.webp 336w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/SecurityBlog_Ransomwaregraphic-Edited-Slide-for-ransmoware-blog-2-189x106.webp 189w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/SecurityBlog_Ransomwaregraphic-Edited-Slide-for-ransmoware-blog-2-630x354.webp 630w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/SecurityBlog_Ransomwaregraphic-Edited-Slide-for-ransmoware-blog-2.webp 1280w\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/SecurityBlog_Ransomwaregraphic-Edited-Slide-for-ransmoware-blog-2-1024x576.webp\"><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"pre-domain-compromise-activity\">Pre domain-compromise activity<\/h3>\n\n\n\n<p>After gaining initial access, presumably through leveraging the customer\u2019s VPN infrastructure, and prior to obtaining domain admin privileges, the cyberattackers initiated a series of actions focused on mapping potential assets and escalating privileges. A wide, remote execution of secrets dump is detected on <a href=\"https:\/\/www.microsoft.com\/security\/business\/endpoint-security\/microsoft-defender-endpoint\">Microsoft Defender for Endpoint<\/a>-onboarded devices and User 1 (domain user) is contained by attack disruption.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"post-domain-compromise-activity\">Post domain-compromise activity<\/h3>\n\n\n\n<p>\n  Once securing domain admin (User 2) credentials, potentially through leveraging the victim\u2019s non-onboarded estate, the attacker immediately attempts to connect to the victim\u2019s domain controller (DC1) using Remote Desktop Protocol (RDP) from the cyberattacker&#8217;s controlled device. When gaining access to DC1, the cyberattacker leverages the device to perform the following set of actions:\n<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Reconnaissance<\/strong>\u2014The cyberattacker leverages the domain controller\u2019s wide network visibility and high privileges to map the network using different tools, focusing on servers and network shares.  <\/li>\n\n\n\n<li><strong>Defense evasion<\/strong>\u2014Leveraging the domain controller\u2019s native group policy functionality, the cyberattacker attempts to tamper with the victim\u2019s antivirus by modifying security-related group policy settings.   <\/li>\n\n\n\n<li><strong>Persistence<\/strong>\u2014The cyberattacker leverages the direct access to Active Directory, creating new domain users (User 3 and User 4) and adding them to the domain admin group, thus establishing a set of highly privileged users that would later on be used to execute the ransomware attack.<strong> <\/strong><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"encryption-over-the-network\">Encryption over the network<\/h3>\n\n\n\n<p>Once the cyberattacker takes control over a set of highly privileged users, this provides them access to any domain-joined resource, including comprehensive network access and visibility. It will also allow them to set up tools for the encryption phase of the cyberattack. <\/p>\n\n\n\n<p>Assuming they\u2019re able to validate a domain controller&#8217;s effectiveness, they begin by running the payload locally on the domain controller. Attack disruption detects the threat actor\u2019s attempt to run the payload and contains User 2, User 3, and the cyberattacker-controlled device used to RDP to the domain controller. <\/p>\n\n\n\n<p>\n  After successfully containing Users 2 and 3, the cyberattacker proceeded to log in to the domain controller using User 4, who had not yet been utilized. After logging into the device, the cyberattacker attempted to encrypt numerous devices over the network from the domain controller, leveraging the access provided by User 4. \n<\/p>\n\n\n\n<p>\n  Attack disruption detects the initiation of encryption over the network and automatically granularly contains device DC1 and User 4, blocking the attempted remote encryption on all Microsoft Defender for Endpoint-onboarded and targeted devices. \n<\/p>\n\n\n\n<div class=\"wp-block-buttons is-content-justification-center is-layout-flex wp-container-core-buttons-is-layout-2 wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button has-custom-width wp-block-button__width-75 btn-primary\"><a class=\"wp-block-button__link wp-element-button\" href=\"https:\/\/www.microsoft.com\/security\/business\/endpoint-security\/microsoft-defender-endpoint\">Help secure endpoints with Microsoft Defender for Endpoint<\/a><\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"protecting-your-domain-controllers\">Protecting your domain controllers<\/h2>\n\n\n\n<p>Given the central role of domain controllers in ransomware attacks, protecting them is critical to preventing large-scale damage. However, securing domain controllers is particularly challenging due to their fundamental role in network operations. Unlike other endpoints, domain controllers must remain highly accessible to authenticate users, enforce policies, and manage resources across the environment. This level of accessibility makes it difficult to apply traditional security measures without disrupting business continuity. Hence, security teams constantly face the complex challenge of striking the right balance between security and operational functionality. <\/p>\n\n\n\n<p>To address this challenge, Defender for Endpoint introduced contain high value assets (HVA), an expansion of our contain device capability designed to automatically contain HVAs like domain controllers in a granular manner. This feature builds on Defender for Endpoint\u2019s capability to classify device roles and criticality levels to deliver a custom, role-based containment policy, meaning that if a sensitive device, such a domain controller, is compromised, it is immediately contained in less than three minutes, preventing the cyberattacker from moving laterally and deploying ransomware, while at the same time maintaining the operational functionality of the device. The ability of the domain controller to distinguish between malicious and benign behavior helps keep essential authentication and directory services up and running. This approach provides rapid, automated cyberattack containment without sacrificing business continuity, allowing organizations to stay resilient against sophisticated human-operated cyberthreats.<\/p>\n\n\n\n<p>Now your organization\u2019s domain controllers can leverage automatic attack disruption as an extra line of defense against malicious actors trying to overtake high value assets and exert costly ransomware attacks. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"learn-more\">Learn more<\/h2>\n\n\n\n<p>\n  Explore these resources to stay updated on the latest automatic attack disruption capabilities:\n<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Learn more about <a href=\"https:\/\/www.microsoft.com\/security\/business\/endpoint-security\/microsoft-defender-endpoint\">Microsoft Defender for Endpoint<\/a>.<\/li>\n\n\n\n<li>Read about the <a href=\"https:\/\/aka.ms\/containIP-HVA\">new containment features<\/a>.<\/li>\n\n\n\n<li>Learn how attack disruption safeguards your domain controllers in this <a href=\"https:\/\/www.youtube.com\/watch?v=BUGoxeoSffs\">video<\/a>.<\/li>\n\n\n\n<li>Check out our latest <a href=\"https:\/\/aka.ms\/disruptinfo\">infographic<\/a>.<\/li>\n\n\n\n<li>Read about <a href=\"https:\/\/aka.ms\/disruptdocs\">automatic attack disruption<\/a>.<\/li>\n<\/ul>\n\n\n\n<p>To learn more about Microsoft Security solutions, visit our&nbsp;<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\" target=\"_blank\">website.<\/a>&nbsp;Bookmark the&nbsp;<a href=\"https:\/\/www.microsoft.com\/security\/blog\/\" target=\"_blank\">Security blog<\/a>&nbsp;to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (<a href=\"https:\/\/www.linkedin.com\/showcase\/microsoft-security\/\">Microsoft Security<\/a>) and X (<a href=\"https:\/\/twitter.com\/@MSFTSecurity\" target=\"_blank\">@MSFTSecurity<\/a>)&nbsp;for the latest news and updates on cybersecurity.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><sup>1<\/sup><a href=\"https:\/\/www.statista.com\/statistics\/273575\/us-average-cost-incurred-by-a-data-breach\/#:~:text=Average%20cost%20per%20data%20breach%20in%20the%20United%20States%202006%2D2024&amp;text=As%20of%202024%2C%20the%20average,million%20U.S.%20dollars%20in%202024.\" target=\"_blank\" rel=\"noreferrer noopener\">Average cost per data breach in the United States 2006-2024<\/a>, Ani Petrosyan. October 10, 2024.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Read how cyberattackers exploit domain controllers to gain privileged system access where they deploy ransomware that causes widespread damage and operational disruption.<\/p>\n","protected":false},"author":162,"featured_media":138294,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ms_queue_id":[],"ep_exclude_from_search":false,"_classifai_error":"","_classifai_text_to_speech_error":"","footnotes":""},"content-type":[3661],"topic":[3670,3679,3688],"products":[3690,3694],"threat-intelligence":[],"tags":[3802],"coauthors":[4388],"class_list":["post-138286","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","content-type-industry-trends","topic-device-management","topic-network-security","topic-threat-trends","products-microsoft-defender","products-microsoft-defender-for-endpoint","tag-ransomware","review-flag-1694638271-781","review-flag-1-1694638265-354","review-flag-2-1694638266-864","review-flag-3-1694638266-241","review-flag-4-1694638266-512","review-flag-9-1694638266-118","review-flag-lever-1694638263-909","review-flag-new-1694638263-340"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How cyberattackers exploit domain controllers using ransomware | Microsoft Security Blog<\/title>\n<meta name=\"description\" content=\"Cyberattackers exploit domain controllers to gain privileged system access where they deploy ransomware that causes widespread damage and operational disruption.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/04\/09\/how-cyberattackers-exploit-domain-controllers-using-ransomware\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How cyberattackers exploit domain controllers using ransomware | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"Cyberattackers exploit domain controllers to gain privileged system access where they deploy ransomware that causes widespread damage and operational disruption.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/04\/09\/how-cyberattackers-exploit-domain-controllers-using-ransomware\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2025-04-09T16:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-04-15T23:17:50+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/Security_1040100_Blog_250403-scaled.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2560\" \/>\n\t<meta property=\"og:image:height\" content=\"1333\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Alon Rosental\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/Security_1040100_Blog_250403-scaled.jpg\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Alon Rosental\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/04\/09\/how-cyberattackers-exploit-domain-controllers-using-ransomware\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/04\/09\/how-cyberattackers-exploit-domain-controllers-using-ransomware\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/alon-rosental\/\",\"@type\":\"Person\",\"@name\":\"Alon Rosental\"}],\"headline\":\"How cyberattackers exploit domain controllers using ransomware\",\"datePublished\":\"2025-04-09T16:00:00+00:00\",\"dateModified\":\"2025-04-15T23:17:50+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/04\/09\/how-cyberattackers-exploit-domain-controllers-using-ransomware\/\"},\"wordCount\":1503,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/04\/09\/how-cyberattackers-exploit-domain-controllers-using-ransomware\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/Security_1040100_Blog_250403-scaled.jpg\",\"keywords\":[\"Ransomware\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/04\/09\/how-cyberattackers-exploit-domain-controllers-using-ransomware\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/04\/09\/how-cyberattackers-exploit-domain-controllers-using-ransomware\/\",\"name\":\"How cyberattackers exploit domain controllers using ransomware | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/04\/09\/how-cyberattackers-exploit-domain-controllers-using-ransomware\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/04\/09\/how-cyberattackers-exploit-domain-controllers-using-ransomware\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/Security_1040100_Blog_250403-scaled.jpg\",\"datePublished\":\"2025-04-09T16:00:00+00:00\",\"dateModified\":\"2025-04-15T23:17:50+00:00\",\"description\":\"Cyberattackers exploit domain controllers to gain privileged system access where they deploy ransomware that causes widespread damage and operational disruption.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/04\/09\/how-cyberattackers-exploit-domain-controllers-using-ransomware\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/04\/09\/how-cyberattackers-exploit-domain-controllers-using-ransomware\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/04\/09\/how-cyberattackers-exploit-domain-controllers-using-ransomware\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/Security_1040100_Blog_250403-scaled.jpg\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/Security_1040100_Blog_250403-scaled.jpg\",\"width\":2560,\"height\":1333,\"caption\":\"A woman pointing at a computer screen.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/04\/09\/how-cyberattackers-exploit-domain-controllers-using-ransomware\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How cyberattackers exploit domain controllers using ransomware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How cyberattackers exploit domain controllers using ransomware | Microsoft Security Blog","description":"Cyberattackers exploit domain controllers to gain privileged system access where they deploy ransomware that causes widespread damage and operational disruption.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/04\/09\/how-cyberattackers-exploit-domain-controllers-using-ransomware\/","og_locale":"en_US","og_type":"article","og_title":"How cyberattackers exploit domain controllers using ransomware | Microsoft Security Blog","og_description":"Cyberattackers exploit domain controllers to gain privileged system access where they deploy ransomware that causes widespread damage and operational disruption.","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/04\/09\/how-cyberattackers-exploit-domain-controllers-using-ransomware\/","og_site_name":"Microsoft Security Blog","article_published_time":"2025-04-09T16:00:00+00:00","article_modified_time":"2025-04-15T23:17:50+00:00","og_image":[{"width":2560,"height":1333,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/Security_1040100_Blog_250403-scaled.jpg","type":"image\/jpeg"}],"author":"Alon Rosental","twitter_card":"summary_large_image","twitter_image":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/Security_1040100_Blog_250403-scaled.jpg","twitter_misc":{"Written by":"Alon Rosental","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/04\/09\/how-cyberattackers-exploit-domain-controllers-using-ransomware\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/04\/09\/how-cyberattackers-exploit-domain-controllers-using-ransomware\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/alon-rosental\/","@type":"Person","@name":"Alon Rosental"}],"headline":"How cyberattackers exploit domain controllers using ransomware","datePublished":"2025-04-09T16:00:00+00:00","dateModified":"2025-04-15T23:17:50+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/04\/09\/how-cyberattackers-exploit-domain-controllers-using-ransomware\/"},"wordCount":1503,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/04\/09\/how-cyberattackers-exploit-domain-controllers-using-ransomware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/Security_1040100_Blog_250403-scaled.jpg","keywords":["Ransomware"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/04\/09\/how-cyberattackers-exploit-domain-controllers-using-ransomware\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/04\/09\/how-cyberattackers-exploit-domain-controllers-using-ransomware\/","name":"How cyberattackers exploit domain controllers using ransomware | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/04\/09\/how-cyberattackers-exploit-domain-controllers-using-ransomware\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/04\/09\/how-cyberattackers-exploit-domain-controllers-using-ransomware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/Security_1040100_Blog_250403-scaled.jpg","datePublished":"2025-04-09T16:00:00+00:00","dateModified":"2025-04-15T23:17:50+00:00","description":"Cyberattackers exploit domain controllers to gain privileged system access where they deploy ransomware that causes widespread damage and operational disruption.","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/04\/09\/how-cyberattackers-exploit-domain-controllers-using-ransomware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/04\/09\/how-cyberattackers-exploit-domain-controllers-using-ransomware\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/04\/09\/how-cyberattackers-exploit-domain-controllers-using-ransomware\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/Security_1040100_Blog_250403-scaled.jpg","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/Security_1040100_Blog_250403-scaled.jpg","width":2560,"height":1333,"caption":"A woman pointing at a computer screen."},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/04\/09\/how-cyberattackers-exploit-domain-controllers-using-ransomware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"How cyberattackers exploit domain controllers using ransomware"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}}]}},"msxcm_display_generated_audio":true,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/138286","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/162"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=138286"}],"version-history":[{"count":17,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/138286\/revisions"}],"predecessor-version":[{"id":138492,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/138286\/revisions\/138492"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media\/138294"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=138286"}],"wp:term":[{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=138286"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=138286"},{"taxonomy":"products","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/products?post=138286"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=138286"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/tags?post=138286"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=138286"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}