Ransomware Hits Major Brands. Lessons For Active Directory Management.

Uploaded on 2025-08-11 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

We often think that our favorite and trusted companies would be bulletproof. That’s until hacking collectives like Scattered Spider walk off with an entire NTDS.dit file - a database that stores Active Directory data and password hashes for all users in the domain. The ransomware attack halted online orders for five days and wiped out over £500 million in market value.

More recently, a similar attack on July 2 saw cybercriminals scrape names, contact details, and purchase history from a luxury brand’s subsidiary's computer network.

It’s a wake-up call that AD credentials are as valuable as the crown jewels, so why are so many teams treating them like an afterthought?

By analyzing thousands of infostealers logs and incident reports, incident reporters can show how mismanaged credentials become the start of large-scale intrusions. From digital identity creation to deletion, visibility into key touchpoints is essential, and checks must be in place to ensure no data has slipped into the wrong hands.

AD Neglect in Enterprise IT Costs

Large organizations often accumulate decades of unused, duplicated, or orphaned Active Directory entries, such as former employee accounts. These lingering AD entries provide easy targets for attackers to escalate privileges or move laterally.

The average cost of a global data breach hit US$4.88 million in 2024, marking a 10% jump from the previous year and an all‑time high. Breaches involving stolen or compromised credentials are a significant driver of this figure: In 2024, Verizon reported that 88% of breaches involved stolen credentials. Each successful malicious entry can bleed resources through containment, forensic investigation, and regulatory fines.

The issue of orphaned ADs is widespread. According to Microsoft, over 10% of AD user accounts are inactive or “stale,” meaning they haven’t been used or had a password reset in six months. These accounts frequently retain group memberships or elevated privileges, forming easy backdoors for malpractice.

AD cleansing is essential for successful migration to cloud platforms, the enforcement of zero-trust principles, and streamlining user access across departments. Failing to sanitize AD can result in regulatory non-compliance. Violations of standards like GDPR, HIPAA, and SOX can result in fines ranging from hundreds of thousands to millions of dollars, and are often triggered by weak access controls or poor user data management.

Real-Time Visibility in the Identity Lifecycle

As the Ponemon Institute found in late 2024, nearly 46% of firms take from one day to over a week to detect and respond to stolen credentials usage. This leaves a dangerous window when real‑time monitoring could have intervened.

Real-time visibility is critical during user onboarding, access changes, and offboarding to ensure permissions are granted and revoked instantly. It’s equally essential during active use to detect risky behavior or credential misuse before damage occurs. Here is a more detailed overview:

1. Provisioning and access granting (day one access): Identity management platforms that enable real-time visibility at the onboarding or role-change stage mean that as soon as either event occurs, the system logs it, surfaces it, and can trigger alerts or approval workflows immediately, instead of relying on daily reports or after-the-fact audits. This prevents delays, overprovisioning, or risky access that often comes from bulk role assignments without oversight.

2. Ongoing usage monitoring (the “live” phase): As users interact with systems, real-time monitoring is essential to detect unusual behaviors (e.g., privilege misuse, lateral movement, access outside working hours). This enables adaptive security policies—like immediate session termination or MFA requests—based on live risk.

3. Offboarding and deprovisioning (critical exit events): When an employee leaves or changes roles, instant revocation of prior access is crucial to avoid lingering permissions. Real-time visibility ensures nothing is missed, especially access to cloud services, SaaS apps, or shared credentials that traditional AD cleanup (which is usually manual or scheduled) may not catch fast enough.

Companies are responsible for enforcing password refreshes and securing digital identities throughout their lifecycle. Enforcing role-based access controls, adopting zero-trust and MFA, and using automation and analytics to provide real-time alerts on unusual activity or access changes helps keep tabs on who’s accessing what.

Dark-Web Monitoring Signals Early Warnings

Since the start of 2025, the Cybernews research team has uncovered 16 billion exposed credentials. Although it is assumed some of these would have been duplicates, this is an overwhelming amount of personal information that can be used for account takeover, identity theft, and highly targeted phishing. Cybercriminals trade, test, and automate attacks based on leaked credentials—sometimes within hours. However, cybersecurity teams can turn these leakages into warnings.

Dark-web monitoring tools scan clear, deep, and dark web marketplaces and private forums for organizations’ assets, such as URLs, email domains, API keys, and passwords. When a match is found, alerts are triggered, turning passive data loss into an active warning signal.

When such alerts are retrieved, security teams can immediately force a password reset, temporarily suspend access to sensitive systems, and activate containment protocols. If a user account is compromised, Identity Threat Detection & Response (ITDR) tools can automatically block traffic coming from that identity, even if it's technically "authorized."

As the entry point to wider supply chain attacks, outdated Active Directories that expose credentials pose serious security and compliance risks. Visibility is critical during user onboarding, access changes, and offboarding to ensure permissions are properly granted and revoked.

However, since credentials often surface on dark web forums or paste sites before being actively exploited, dark-web monitoring gives cybersecurity teams a chance to respond before they turn into a full-blown breach. It is an early alarm system for digital identity perimeters that shouldn’t be overlooked.

Eric Clay is CMO & Co-Research Team Lead at Flare

Image: Ideogram

You Might Also Read:

In Many Cases Active Directory Is The Last Line Of Defence:

If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.