Protecting the Crown Jewels: How Ransomware Groups Exploit Domains

When ransomware is dropped on your desktop and file shares, it feels like the beginning of the nightmare. It’s the final scene. Long before encryption begins, attackers have already worked their way through the network escalating privileges, stealing credentials, and hunting for what really matters: Active Directory, backups, datashares and the virtualization infrastructure that keeps the business running.

And the harsh truth is this: they don’t need zero-days to get there. They rely on weaknesses most organizations already know about, legacy protocols, overprivileged accounts, flat networks, and poorly isolated recovery systems. Once they exploit these vulnerabilities, your company’s resilience is on the line.

Why Active Directory Is the “Crown Jewel”

Active Directory (AD) isn’t just another system; it’s the backbone of enterprise identity. Whoever controls AD controls the business.

Attackers typically start with a single compromised endpoint. From there:

1. They dump the LSASS process to harvest credentials.
2. They perform Kerberoasting (decrypting AD credentials) to crack service accounts offline.
3. They attempt a DCSync to replicate the credential database.

And with tools like Mimikatz, Rubeus, or Impacket, they escalate privileges until they reach the KRBTGT (Kerberos key account) hash —the golden ticket to unlimited persistence.

This is why the AD domain isn’t just another stop along the way. It’s the crown jewel adversaries are after.

The Legacy Problem

One reason attackers succeed so often is that organizations still carry the weight of legacy technology.

• NTLMv1 is still enabled in some places, even though it’s fundamentally broken.
• NTLMv2, while stronger, is still open to relay and pass-the-hash attacks if signing or extended protection isn’t enforced
• SMBv1, unencrypted LDAP, and WMI/DCOM create additional lateral movement paths.

It isn’t that attackers are brilliant, it’s that too many environments haven’t turned off the weak links. Every legacy protocol left enabled is another open door.

The Hidden Weakness: Backups and Virtualization

Stopping at AD is no longer enough for ransomware groups. Once they’ve compromised the domain, the blast radius expands dramatically. The first systems they go after are backups and virtualization systems.

If backup servers are domain-joined, once AD is compromised the backups are too. Attackers delete retention chains, wipe repositories, and in some cases, even delete jobs from backup applications running on domain controllers, a catastrophic misconfiguration.

Virtualization platforms like VMware ESXi and vCenter are now frequent targets. With access, attackers can power down VMs, encrypt virtual disks, and wipe snapshots. Furthermore, they erase the forensic evidence needed for regulatory reporting and incident scoping. Without these artifacts, organizations cannot prove whether sensitive data was accessed, determine the true extent of compromise, or validate that persistence has been removed. This forces responders into broad, time-consuming remediation efforts, rebuilding more systems than necessary and extending downtime, all while leaving regulators, insurers, and clients with unanswered questions.

The Akira ransomware group shows exactly how this plays out. Active since 2023, Akira has carried out 300+ attacks and raked in over $42 million. They specifically target ESXi and vCenter servers, encrypting datastores and deleting backups from accessible software on compromised servers.

Backup management and servers, as well as virtualization hosts should never reside on flat networks. Yet time and again, we see organizations make this mistake, placing their most critical recovery and infrastructure components on the same plane as user devices.

When Resilience Disappears

The reason for all why this matters is simple: resilience collapses the moment backups and virtualization are gone.

In 96% of ransomware cases, attackers go after backups, and in 76%, they succeed.

When backups are compromised, ransom demands double (from ~$1M to ~$2.3M), victims are twice as likely to pay, and recovery costs rise 8x higher.

Nearly one in three organizations fail to restore backups during an attack. even though 92% claim to have them.

If AD is owned, backups deleted, and hypervisors encrypted, restoration efforts collapse completely. At that point, the ransom isn’t just extortion, it may be the only path back for business operations.

What Resilience Really Looks Like

Protecting the crown jewels is about discipline and architecture. Practical steps include:

• For Active Directory: Disable NTLMv1, enforce signing, monitor for Kerberos anomalies, protect LSASS with Credential Guard, and collect DC logs.
• For Privileged Access: At minimum, enforce MFA for all admin accounts and consider implementing Just-in-Time elevation with a Privileged Access Management (PAM) solution. For greater maturity, require Privileged Access Workstations (PAWs) to separate admin tasks from everyday use.
• For File Shares: Apply least-privilege permissions, use Access-Based Enumeration, and enforce SMB signing and encryption. Block legacy SMBv1 entirely.
• For Backups: Never domain-join backup servers; keep backup networks isolated; and follow the 3-2-1-1-0 rule. maintain 3 copies of data on 2 different media, with 1 offsite, 1 immutable or air-gapped, and 0 errors verified through regular restore testing.
• For Virtualization: Keep vCenter/Hyper-V management on dedicated networks, enforce MFA/RBAC, and monitor for suspicious mass VM or snapshot activity.
• For Network Design: Eliminate flat architecture. User devices should never have direct access to domain controllers, backups, or hypervisors.

The ransom note isn’t the beginning of a ransomware incident. It’s the end of a campaign that may have been unfolding for weeks. By then, the attackers may already have your domain, your backups, and your hypervisors under control.

That’s why ransomware is no longer just an availability issue, it’s a resiliency issue. If your crown jewels aren’t isolated and hardened, restoration may be impossible, leaving your only option on the table: paying the ransom.

The organizations that recover quickly are the ones that treat AD, backups, and virtualization like critical infrastructure, isolate them from compromise, and build recovery paths attackers can’t touch. Anything less is leaving the keys under the mat.