Ransomware’s Opening Play: Target Identity First

For years, ransomware attacks followed a familiar script. 

Threat actors gained entry through a vulnerable server, a phishing email, or malicious software on an endpoint. Once inside, they moved laterally through the network, then encrypted systems and demanded payment.

That playbook has changed.

Today’s ransomware operators increasingly target identity infrastructure as their first objective. 

Active Directory, Entra ID, and Okta control access and provide a new attack target

Systems such as Active Directory, Entra ID, and Okta form the trust backbone of modern enterprises, controlling authentication and access across hybrid environments. If attackers compromise identity systems, they effectively gain the keys to the organization.

The scale of the threat reflects this shift. The Ransomware Risk Report from Semperis shows that 78% of organizations were targeted by ransomware within the past 12 months, and 56% of those attacks succeeded. 

At the same time, cyber incidents are increasingly disrupting operations: 71% of organizations report experiencing at least one IT event in the past year that halted critical business functions.

In other words, ransomware is no longer just about encrypting files. It is about controlling identity.

Identity security specialists, including Semperis, have observed this shift firsthand as ransomware actors increasingly prioritize compromising identity systems early in the attack lifecycle.

Identity Infrastructure: The Ultimate Control Plane

Identity infrastructure functions as Tier 0 within the enterprise environment. It governs authentication, authorization, and access control for nearly every system, application, and user account across the organization.

When attackers gain control of identity services, they can impersonate legitimate users, escalate privileges, and manipulate access policies across on-premises and cloud environments. 

In hybrid identity architectures — where Active Directory integrates with cloud identity providers and SaaS platforms — the attack surface expands even further.

This is why identity systems have become such attractive targets.

Semperis’ research underscores this reality. 

Eighty-three percent of ransomware attacks involve compromise of identity infrastructure, while 82% of broader cyber incidents either definitely or possibly involve compromise of core identity systems such as Active Directory or Entra ID.

For security teams, this reinforces an important reality: identity is no longer just an authentication layer — it has become the central control plane of enterprise security.

This has led many organizations to reevaluate how they protect identity infrastructure, with a growing focus on treating identity systems as Tier 0 assets that require dedicated security and recovery strategies. 

The shift also reflects a broader trend: attackers increasingly target authentication systems early in the attack lifecycle, according to identity resilience experts at Semperis. 

To understand why identity protection has become so critical, it’s important to look at how modern ransomware attacks typically unfold.

Stage One: Identity Takeover

Many ransomware attacks begin with an initial foothold inside the environment. Increasingly, that foothold comes through identity compromise.

Phishing campaigns, stolen credentials, and hijacked authentication tokens remain among the most common entry points. Once attackers gain valid credentials, they can log in as legitimate users, often bypassing traditional security defenses.

Weak identity hygiene compounds the problem. Stale accounts, excessive privileges, and misconfigured permissions create exploitable pathways that attackers can leverage to gain access. 

Privileged service accounts are especially attractive targets because they often have broad access yet often receive limited monitoring.

Attackers may also hijack active authentication sessions or tokens to bypass login controls entirely. Once access is secured, they establish persistence by creating new privileged accounts, modifying group memberships, or altering identity configurations.

The frequency of these attacks highlights the urgency of the problem. Sixty-two percent of critical infrastructure organizations report being targeted by cyberattacks within the past year.

Because identity-based attacks often blend into normal authentication activity, security teams need visibility into the identity layer itself — not just endpoints or network traffic — to detect suspicious activity before it escalates.

Stage Two: Privilege Escalation

Once attackers gain a foothold in identity systems, their next objective is privilege escalation.

Active Directory environments contain complex trust relationships, delegation paths, and permission structures. Misconfigurations within these systems can allow attackers to escalate privileges without triggering alarms.

Techniques such as Kerberoasting, pass-the-hash attacks, and ticket manipulation enable attackers to extract credentials and elevate their privileges incrementally. 

Ultimately, the goal is to obtain Domain Admin or equivalent Tier 0 privileges.

Once attackers reach this level of access, they can operate inside the network as legitimate administrators. 

They can modify policies, disable security tools, and expand lateral movement across systems and cloud resources.

Persistence becomes a major challenge at this stage. Seventy-three percent of organizations that experienced successful ransomware attacks were attacked multiple times, indicating that once attackers establish access, they often return.

Monitoring identity activity and detecting abnormal privilege escalation patterns are therefore critical to interrupting attacks before they reach this stage.

Stage Three: Recovery Sabotage

Modern ransomware campaigns often include a critical step before encryption: sabotaging recovery.

Attackers understand that organizations can recover from ransomware quickly if their identity infrastructure and backups remain intact. As a result, many campaigns now target recovery mechanisms before launching the final attack.

Identity systems may be manipulated to lock administrators out of critical accounts or disrupt authentication services entirely. 

Backup systems can be deleted or corrupted, and recovery tools may be disabled.

In more severe cases, attackers deliberately damage the identity infrastructure itself. 

Active Directory forests may be corrupted or altered in ways that make restoration extremely difficult.

Unfortunately, many organizations are not prepared for this scenario. 

Semperis research shows that only 66% of organizations include Active Directory recovery procedures in their disaster recovery plans, and 40% do not maintain dedicated Active Directory–specific backup systems.

Recovery preparedness gaps extend beyond technology. While many companies conduct crisis exercises, only 43% of those exercises involve disaster-recovery teams, even though those teams are responsible for restoring systems after an attack.

This is why identity recovery planning has become an important component of modern cyber resilience strategies.

The Business Impact of Identity-Driven Attacks

When identity systems fail, the entire enterprise can grind to a halt.

Authentication systems control access to applications, databases, cloud platforms, and operational systems. 

If those systems are compromised or unavailable, employees may be unable to log in, business applications may stop functioning, and production environments may stall.

The operational consequences can be significant. The Semperis Cyber Resilience Survival Guide research shows that 57% of organizations report cyberattacks disrupting normal operations.

Even paying the ransom does not guarantee recovery. Fifteen percent of ransomware victims who paid did not receive usable decryption keys, and three percent received keys only to discover their stolen data had still been leaked or misused.

Recovery itself can take time. Eighteen percent of organizations require between one week and one month to return to normal operations after a ransomware incident.

Because identity infrastructure sits at the center of enterprise operations, restoring trust in identity systems is often the first step toward restoring the business.

Why Identity Resilience Matters in an “Assume Breach” World

For security leaders, the reality is clear: preventing every cyberattack is no longer realistic.

Modern enterprise environments are complex, distributed, and interconnected. Attackers will eventually find a way in. The question is not whether an attack will occur, but how effectively the organization can contain it.

This is where cyber resilience becomes essential.

An assume-breach mindset acknowledges that intrusions may happen and focuses on minimizing their impact. In the context of ransomware, this means prioritizing the rapid detection, containment, and recovery of identity infrastructure.

Identity resilience ensures that even if attackers compromise systems, organizations can quickly restore authentication services and regain control of their environments.

Strengthening Identity-Based Cyber Resilience

Improving identity resilience requires a combination of technology, processes, and organizational readiness.

Organizations should continuously assess identity environments for misconfigurations, privilege risks, and exposed accounts. 

Monitoring authentication systems for suspicious activity — such as abnormal privilege escalation or unusual login patterns — is equally important.

Recovery readiness must also be prioritized. This includes maintaining secure, tested backups of identity infrastructure and regularly rehearsing identity-focused incident response plans.

Preparation matters because cyber crises are not rare events. 

96% of organizations report having a cyber crisis response plan, and 90% say they have had to activate it at least once in the past year.

To support these efforts, many organizations are investing in solutions designed to secure hybrid identity environments. 

These platforms provide continuous visibility into identity exposures, detect identity-based attacks in real time, and enable rapid recovery if identity systems are compromised. 

Ransomware attacks have evolved.

Instead of focusing solely on encrypting data, attackers now aim to control identity infrastructure — the systems that govern authentication, authorization, and access across the enterprise.

Once identity systems are compromised, attackers can escalate privileges, expand access, and disrupt recovery efforts — often with far-reaching operational consequences.

For security leaders, the path forward is clear: protecting identity systems and strengthening identity resilience must become a central priority.

In the modern ransomware landscape, identity is not just another attack surface.

It is the battlefield.

As cyberattacks increasingly target identity systems, the ability to detect compromise early and recover quickly has become essential for limiting operational disruption.

Semperis provides solutions designed to help organizations secure hybrid identity environments, detect identity-based attacks, and rapidly recover Active Directory and other identity systems following an incident.

Discover how Semperis helps organizations strengthen identity resilience and reduce the impact of ransomware attacks.