How to Defend Against Ransomware-as-a-Service Groups That Attack Active Directory

By Semperis Team May 17, 2021 | Active Directory

Concern about the Colonial Pipeline ransomware attack by DarkSide has expanded beyond the cybersecurity industry and into the consciousness of the everyday consumer—an indicator of the extensive implications the attack has on the global economy. In response, the Biden administration issued an executive order and held a press conference, and the hacker community moved to take down the DarkSide ransomware gang’s servers.

What can you do to protect your company from a ransomware-as-a-service (RaaS) attack similar to the one that crippled Colonial Pipeline? First, arm yourself with an understanding of how RaaS attacks are typically carried out, usually favoring Windows vulnerabilities to exploit for initial access. In this video, Microsoft MVP and Semperis Director of Services Sean Deuby steps through how attackers breach Active Directory.



As Deuby points out in the video, RaaS groups follow a certain pattern of behavior:

  • An attack will start with “reconnaissance” using penetration tools to gain initial access to your systems.
  • After successfully getting a foothold,  attackers will spend weeks hunting for vulnerabilities and gaining access to privileged user accounts.
  • The gang will try to maximize the impact after locking up your systems and demanding ransom.
  • The attack will not only steal your sensitive data, but also will likely threaten to make the data public if a ransom isn’t paid in a timely fashion.

The DarkSide ransomware gang in particular has a few of its own quirks:

  • DarkSide is business-savvy. Not only does it claim to have “principles,” such as not targeting hospitals or schools, it attacks only organizations it knows can and will pay.
  • The gang is opportunistic and strikes when organizations are most likely to pay. It is patient, performing reconnaissance for several weeks to locate the crown jewels.
  • Finally, it knows the revenue from ransomware is predictable—there are no signs of ransomware-as-a-service slowing down. The Colonial Pipeline attack, for example, signals that groups like DarkSide have declared “open season” on infrastructure providers and SCADA systems.

Even if you aren’t an infrastructure company, here’s the big takeaway: Ransomware-as-a-Service attack groups favor Windows vulnerabilities. Common advice like “keep your Windows systems updated” is especially applicable when dealing with these types of attacks. However, it’s also critical that you proactively search for weak configurations in your identity systems (especially Active Directory) that are prime targets for attackers.

Download Purple Knight Free Security Assessment Tool

To help companies guard against ransomware-as-a-service attacks, Semperis released a free security assessment tool, Purple Knight, that allows organizations to safely probe their Microsoft Active Directory (AD) environment to identify dangerous misconfigurations and other weaknesses that attackers can exploit to steal data and launch malware campaigns. Built and managed by an elite group of Microsoft identity experts, the tool empowers organizations to combat the deluge of escalating attacks targeting AD by spotting indicators of exposure and compromise in their environments and providing corrective guidance to close gaps.

Purple Knight is currently used by some of the largest organizations with the most complex identity environments in the world. At the outset, users reported an average failing score of 61%, which helps explain why AD is an easy target for ransomware gangs. Purple Knight helps you identify areas where your identity system security needs attention, including Kerberos security, AD delegation, account security, AD infrastructure security, and Group Policy security.

You can learn more about Purple Knight and request free access at For more analysis of how recent high-profile attacks have exploited Active Directory, check out the web seminar “How Attackers Exploit Active Directory: Lessons Learned from High-Profile Breaches,” presented by Ran Harel (Semperis Principal Security Product Manager), and Brian Desmond (Principal of Ravenswood Technology Group).

Just a few minutes of your time can go a long way to harden your core identity system and raise the barrier of entry for attackers.


About the author
Semperis Team
Semperis Team
Semperis, the pioneer of identity-driven cyber resilience for cross-cloud and hybrid environments, offers educational resources, commentary, and research findings to inform technology leaders who are responsible for securing enterprise directory services. Linkedin
Unlock cyber resilience. Get a demo