Ransomware defense: Why Active Directory is healthcare's weakest link

Healthcare ransomware attacks have spiked 30% in 2025. And for ransomware groups , Active Directory (AD) is the perfect target. It's the foundation of network identity and access. If attackers can compromise a Domain Controller (DC), they gain huge insight and power over that network.

Once inside AD, attackers can use this access to move laterally inside the network or to sow chaos by encrypting the DC.

This can be difficult to detect or stop. AD lacks built-in monitoring, security teams often only realize a compromise has happened when it’s too late to do anything about it.

Several high-profile ransomware groups are known to target AD specifically, but the same is true for any ransomware actor. AD is a critical network resource, and securing it should be a top priority for every organization.

The need to defend AD is especially acute for the healthcare sector. If AD goes down, the organization’s digital identity and patient care systems go with it, bringing healthcare to a standstill.

In the worst-case scenario, doctors and nurses could lose access to records, test results, or the wider medical supply chain for days or weeks, sending them back to working with paper records.

Reaching AD is a multi-stage process. The first stage is to gain initial access by compromising a public interface such as VPN, by deploying phished credentials against a user account, or by targeting a vulnerability in commonly-used server software such as SharePoint.

Once a bridgehead has been established, the second stage is to conduct network reconnaissance using standard Windows tools to build a map of the local environment.

Because even non-privileged user accounts have AD read access, attackers can deploy tools to obtain a list of domain administrators and service accounts.

The final stage is to compromise a privileged account which can happen through a range of techniques including credential brute forcing. Alternatively, an administrator might log into a compromised machine to troubleshoot and issue, an act that makes that account credentials vulnerable to in-memory hacking tools.

The first line of AD defense is making sure attackers can’t breach perimeter security.

To gain a bridgehead, ransomware groups target the same attack surface as other hackers: weak, easily phished credentials, poorly configured public interfaces such as VPNs or RDP connections, or exposed IIS servers.

MFA for Active Directory should be a minimum protection for all credentials. Nobody should be able to authenticate without using a secure form of second factor.

MFA is not always simple to implement, requiring administrators to balance the need for security with usability. Not enough, or weakly configured MFA, and authentication gaps can appear. Too much MFA and the user experience starts to deteriorate.

UserLock is designed to make implementing MFA in on-premise networks as simple as possible for administrators and users alike.

For administrators, the first benefit is that it works alongside existing AD policies and there is no need to reconfigure domain policies within UserLock itself. What UserLock offers is the ability to extend security by adding a layer of authentication on top of AD.

This puts an extra barrier in the way of ransomware attackers trying to compromise user or service accounts.

Importantly, UserLock MFA protects against lateral movement. In the event an attacker compromises a user account and then gains access to other network passwords using hacker tools, MFA will stand in the way of this expansion. They will need to authenticate every time.

However, MFA is not enough on its own which is why UserLock also implements a second layer: session and contextual controls.

Well-designed access controls limit the attack surface ransomware attackers can exploit should an account be compromised.

As well as limiting concurrent session risk (multiple connections opened by a single user), users can be restricted by workstation, device, IP range, organizational unit (OU), department, country, or time.

UserLock can also restrict which connection types a user account can access, for example workstation, terminal, Wi-Fi, VPN, IIS, and SaaS.

Monitoring unusual access patterns is central to good AD defense. Unfortunately, AD lacks account monitoring of its own, leaving customers to implement their own controls.

UserLock addresses this by allowing administrators to monitor user access using alerts. If a user tries to access an unauthorized resource, administrators will immediately be alerted to unusual access.

To avoid alert overload, administrators can customize these alerts across a range of criteria such as connection type, user, group, organizational unit (OU), time or IP range, and outcome (whether a connection was blocked or MFA rejected).