{"id":18668,"date":"2025-06-25T15:11:40","date_gmt":"2025-06-25T12:11:40","guid":{"rendered":"https:\/\/oberig-it.com\/uncategorized\/protecting-active-directory-from-ransomware-what-it-teams-can-learn-from-the-ms-and-co-op-attacks\/"},"modified":"2025-07-01T15:12:22","modified_gmt":"2025-07-01T12:12:22","slug":"protecting-active-directory-from-ransomware-what-it-teams-can-learn-from-the-ms-and-co-op-attacks","status":"publish","type":"post","link":"https:\/\/oberig-it.com\/en\/articles\/protecting-active-directory-from-ransomware-what-it-teams-can-learn-from-the-ms-and-co-op-attacks\/","title":{"rendered":"Protecting Active Directory from ransomware: What IT teams can learn from the M&#038;S and Co-op attacks"},"content":{"rendered":"<p>The recent ransomware attacks on Marks &amp; Spencer (M&amp;S) and Co-op, two of the UK\u2019s largest retailers, exposed a growing and dangerous trend: cybercriminal groups are targeting identity infrastructure\u2014especially <a href=\"https:\/\/delinea.com\/what-is\/active-directory\" target=\"_blank\" rel=\"noopener\"><span style=\"color: #0000ff;\">Active Directory (AD)<\/span><\/a>\u2014to quickly compromise entire environments.<\/p>\n<p>Attributed to the Scattered Spider group, these attacks disrupted essential services, locked out users, and forced manual workarounds at scale.<\/p>\n<p>Co-op\u2019s systems were reportedly down for days, affecting both internal communications and customer-facing operations. M&amp;S experienced a compromise of core Windows infrastructure, including the theft of the NTDS.dit file, which holds hashed credentials for the entire domain.<\/p>\n<p>For IT and security teams, these breaches serve as a blueprint of how modern ransomware unfolds\u2014and a warning of what\u2019s at stake if AD isn\u2019t secured.<\/p>\n<h4>How modern ransomware campaigns weaponize identity<\/h4>\n<p>The attack on M&amp;S followed a familiar, highly effective pattern. Once inside the network, the threat actors located and exfiltrated the NTDS.dit file\u2014the database containing all domain user credentials. Using offline cracking techniques, they converted these hashes into usable passwords, giving them unrestricted access to core systems.<\/p>\n<p><em><span style=\"color: #008000;\">In both cases, attackers escalated privileges rapidly and moved laterally using legitimate accounts and tools<\/span><\/em><\/p>\n<p>At Co-op, although full technical details remain undisclosed, the impact was severe enough to disrupt internal workflows, payment systems, and store operations. In both cases, attackers escalated privileges rapidly and moved laterally using legitimate accounts and tools\u2014minimizing detection.<\/p>\n<p>These cases illustrate common weaknesses that attackers exploit:<\/p>\n<ul>\n<li>Weak passwords or reused credentials that are easy to crack offline<\/li>\n<li>No multi-factor authentication (MFA), making stolen passwords enough to gain access<\/li>\n<li>Excessive privileges, where even compromised user accounts can perform admin-level tasks<\/li>\n<li>Lack of real-time monitoring, allowing adversaries to move freely before triggering alerts<\/li>\n<\/ul>\n<h4>Why do cybercriminals target Active Directory for ransomware attacks?<\/h4>\n<p>Active Directory is the central nervous system for access across enterprise networks. It manages identity, authentication, access control, and user privleges across systems. Gaining control of AD gives attackers the keys to the kingdom \u2014 the ability to manipulate access, impersonate users, and disable defenses across the network.<\/p>\n<p>When attackers gain access to AD, they can manipulate privileges, escalate rights, and move laterally across the network \u2014 often undetected until damage is done.<\/p>\n<p>The recent wave of ransomware in April 2025, including the high-profile attacks on UK retailers, reflects a clear vulnerability: insufficient AD hardening. Many organizations still lack robust security and recovery plans for AD, leaving them exposed to devastating breaches.<\/p>\n<p>To avoid this fate, security teams must take proactive steps to secure AD infrastructure.<\/p>\n<p>How to protect Active Directory from ransomware in 2025<br \/>\nHere are four key steps organizations can take:<\/p>\n<h4>1. Avoid Domain Users in Local Admin Groups<\/h4>\n<p>Enforce least privilege and eliminate over-permissioned configurations that allow domain users unnecessary local admin rights \u2014 a major enabler of lateral movement.<\/p>\n<h4>2. Fortify RDP with Privileged access controls<\/h4>\n<p><a href=\"https:\/\/delinea.com\/what-is\/rdp-remote-desktop-protocol\" target=\"_blank\" rel=\"noopener\"><span style=\"color: #0000ff;\">Remote Desktop Protocol (RDP)<\/span><\/a> remains a common entry point. Enforcing MFA and access control through a privileged access solution is essential to preventing brute-force and credential stuffing attacks.<\/p>\n<h4>3. Use Active Directory bridging across platforms<\/h4>\n<p>For hybrid environments spanning Windows, Linux, and Unix, <a href=\"https:\/\/delinea.com\/what-is\/active-directory-bridging\" target=\"_blank\" rel=\"noopener\"><span style=\"color: #0000ff;\">Active Directory Bridging<\/span> <\/a>ensures consistent identity governance, allowing you to enforce least privilege controls across all systems.<\/p>\n<h4>4. Move Beyond Vaulting \u2014 Enforce Real-Time Access Controls<\/h4>\n<p>Vaulting credentials is an essential first step. But to truly stop attacks like those seen at M&amp;S and Co-op, organizations need to go further.<\/p>\n<h4>Break the attack chain with a trusted PAM provider<\/h4>\n<p>The M&amp;S and Co-op breaches are proof that identity infrastructure is now a top target. Ransomware groups are getting faster, stealthier, and more focused\u2014and Active Directory is almost always part of the plan.<\/p>\n<p>Implementing effective Active Directory security and privileged access controls can be complex and resource-intensive, especially for lean IT teams already stretched thin. Partnering with a trusted PAM provider like <a href=\"https:\/\/oberig-it.com\/en\/solution_manf\/delinea-en\/\" target=\"_blank\" rel=\"noopener\"><span style=\"color: #0000ff;\">Delinea<\/span><\/a> can help you accelerate your security initiatives and reduce risk.<\/p>\n<p><span style=\"color: #000000;\">Delinea<\/span>\u2019s Privilege Control for Servers (PCS) provides a powerful combination of Active Directory bridging and privileged access enforcement to help organizations secure their most critical infrastructure across Windows, Linux, and Unix environments.<\/p>\n<p>PCS enables centralized identity management through advanced AD bridging, delivering real-time visibility across site topologies, domain controllers, and user activity. This allows for consistent access policies and deeper insight at the server level.<\/p>\n<p>Beyond visibility, PCS delivers the access control needed to stop modern threats in their tracks. With PCS, you can:<\/p>\n<ul>\n<li>Enforce MFA at every server logon<\/li>\n<li>Prevent unauthorized lateral movement and privilege elevation<\/li>\n<li>Control access and elevation independently of Active Directory, making it impossible for attackers to exploit native AD privileges<\/li>\n<\/ul>\n<p>With PCS, you can enforce least privilege, monitor privileged sessions in real time, and break the ransomware attack chain before it starts.<\/p>\n<p>To further strengthen your Active Directory security posture, Delinea\u2019s Continuous Infrastructure Discovery (CID) for Active Directory provides a critical third layer of defense. It enables organizations to continuously monitor for emerging risks, such as new or hidden privileged accounts that could bypass PAM controls.<\/p>\n<p>A recommended three-step strategy:<\/p>\n<p>1. Vault the domain admin accounts using the Delinea Platform<br \/>\n2. Protect Active Directory servers with Privilege Control for Servers (PCS)<br \/>\n3. Monitor for new domain and shadow admins\u2014especially those attempting to bypass PAM\u2014using CID for Active Directory<\/p>\n<p>This layered defense approach delivers end-to-end protection \u2014 from locking down credentials, to controlling access in real time, to detecting suspicious privilege escalation before it becomes a breach.<\/p>\n<p>Don&#8217;t wait until it&#8217;s too late. Take proactive steps to harden your Active Directory environment and protect your organization from devastating ransomware attacks.<\/p>\n<p>Source: <a href=\"https:\/\/delinea.com\/blog\/protecting-active-directory-from-ransomware\" target=\"_blank\" rel=\"noopener\"><span style=\"color: #0000ff;\">Protecting Active Directory from ransomware: What IT teams can learn from the M&amp;S and Co-op attacks<\/span><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The recent ransomware attacks on Marks &amp; Spencer (M&amp;S) and Co-op, two of the UK\u2019s largest retailers, exposed a growing and dangerous trend: cybercriminal groups are targeting identity infrastructure\u2014especially Active Directory (AD)\u2014to quickly compromise entire environments. Attributed to the Scattered Spider group, these attacks disrupted essential services, locked out users, and forced manual workarounds at [&hellip;]<\/p>\n","protected":false},"author":850,"featured_media":18616,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[142],"tags":[],"class_list":["post-18668","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-articles"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.6 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Protecting Active Directory from ransomware: What IT teams can learn from the M&amp;S and Co-op attacks \u261d Oberig IT blog<\/title>\n<meta name=\"description\" content=\"Protecting Active Directory from ransomware: What IT teams can learn from the M&amp;S and Co-op attacks \u26a1 Oberig IT blog for integrator partners, vendors and end customers\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/oberig-it.com\/en\/articles\/protecting-active-directory-from-ransomware-what-it-teams-can-learn-from-the-ms-and-co-op-attacks\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Protecting Active Directory from ransomware: What IT teams can learn from the M&amp;S and Co-op attacks \u261d Oberig IT blog\" \/>\n<meta property=\"og:description\" content=\"Protecting Active Directory from ransomware: What IT teams can learn from the M&amp;S and Co-op attacks \u26a1 Oberig IT blog for integrator partners, vendors and end customers\" \/>\n<meta property=\"og:url\" content=\"https:\/\/oberig-it.com\/en\/articles\/protecting-active-directory-from-ransomware-what-it-teams-can-learn-from-the-ms-and-co-op-attacks\/\" \/>\n<meta property=\"og:site_name\" content=\"Oberig IT\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Oberig.disti\" \/>\n<meta property=\"article:published_time\" content=\"2025-06-25T12:11:40+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-07-01T12:12:22+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/13.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1875\" \/>\n\t<meta property=\"og:image:height\" content=\"625\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Albekova Paula\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Albekova Paula\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Protecting Active Directory from ransomware: What IT teams can learn from the M&S and Co-op attacks \u261d Oberig IT blog","description":"Protecting Active Directory from ransomware: What IT teams can learn from the M&S and Co-op attacks \u26a1 Oberig IT blog for integrator partners, vendors and end customers","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/oberig-it.com\/en\/articles\/protecting-active-directory-from-ransomware-what-it-teams-can-learn-from-the-ms-and-co-op-attacks\/","og_locale":"en_US","og_type":"article","og_title":"Protecting Active Directory from ransomware: What IT teams can learn from the M&S and Co-op attacks \u261d Oberig IT blog","og_description":"Protecting Active Directory from ransomware: What IT teams can learn from the M&S and Co-op attacks \u26a1 Oberig IT blog for integrator partners, vendors and end customers","og_url":"https:\/\/oberig-it.com\/en\/articles\/protecting-active-directory-from-ransomware-what-it-teams-can-learn-from-the-ms-and-co-op-attacks\/","og_site_name":"Oberig IT","article_publisher":"https:\/\/www.facebook.com\/Oberig.disti","article_published_time":"2025-06-25T12:11:40+00:00","article_modified_time":"2025-07-01T12:12:22+00:00","og_image":[{"width":1875,"height":625,"url":"https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/13.jpg","type":"image\/jpeg"}],"author":"Albekova Paula","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Albekova Paula","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/oberig-it.com\/en\/articles\/protecting-active-directory-from-ransomware-what-it-teams-can-learn-from-the-ms-and-co-op-attacks\/#article","isPartOf":{"@id":"https:\/\/oberig-it.com\/en\/articles\/protecting-active-directory-from-ransomware-what-it-teams-can-learn-from-the-ms-and-co-op-attacks\/"},"author":{"name":"Albekova Paula","@id":"https:\/\/oberig-it.com\/en\/#\/schema\/person\/9d804f9c469169d256ca04bc0446793d"},"headline":"Protecting Active Directory from ransomware: What IT teams can learn from the M&#038;S and Co-op attacks","datePublished":"2025-06-25T12:11:40+00:00","dateModified":"2025-07-01T12:12:22+00:00","mainEntityOfPage":{"@id":"https:\/\/oberig-it.com\/en\/articles\/protecting-active-directory-from-ransomware-what-it-teams-can-learn-from-the-ms-and-co-op-attacks\/"},"wordCount":964,"commentCount":0,"publisher":{"@id":"https:\/\/oberig-it.com\/en\/#organization"},"image":{"@id":"https:\/\/oberig-it.com\/en\/articles\/protecting-active-directory-from-ransomware-what-it-teams-can-learn-from-the-ms-and-co-op-attacks\/#primaryimage"},"thumbnailUrl":"https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/13.jpg","articleSection":["Articles"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/oberig-it.com\/en\/articles\/protecting-active-directory-from-ransomware-what-it-teams-can-learn-from-the-ms-and-co-op-attacks\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/oberig-it.com\/en\/articles\/protecting-active-directory-from-ransomware-what-it-teams-can-learn-from-the-ms-and-co-op-attacks\/","url":"https:\/\/oberig-it.com\/en\/articles\/protecting-active-directory-from-ransomware-what-it-teams-can-learn-from-the-ms-and-co-op-attacks\/","name":"Protecting Active Directory from ransomware: What IT teams can learn from the M&S and Co-op attacks \u261d Oberig IT blog","isPartOf":{"@id":"https:\/\/oberig-it.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/oberig-it.com\/en\/articles\/protecting-active-directory-from-ransomware-what-it-teams-can-learn-from-the-ms-and-co-op-attacks\/#primaryimage"},"image":{"@id":"https:\/\/oberig-it.com\/en\/articles\/protecting-active-directory-from-ransomware-what-it-teams-can-learn-from-the-ms-and-co-op-attacks\/#primaryimage"},"thumbnailUrl":"https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/13.jpg","datePublished":"2025-06-25T12:11:40+00:00","dateModified":"2025-07-01T12:12:22+00:00","description":"Protecting Active Directory from ransomware: What IT teams can learn from the M&S and Co-op attacks \u26a1 Oberig IT blog for integrator partners, vendors and end customers","breadcrumb":{"@id":"https:\/\/oberig-it.com\/en\/articles\/protecting-active-directory-from-ransomware-what-it-teams-can-learn-from-the-ms-and-co-op-attacks\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/oberig-it.com\/en\/articles\/protecting-active-directory-from-ransomware-what-it-teams-can-learn-from-the-ms-and-co-op-attacks\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/oberig-it.com\/en\/articles\/protecting-active-directory-from-ransomware-what-it-teams-can-learn-from-the-ms-and-co-op-attacks\/#primaryimage","url":"https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/13.jpg","contentUrl":"https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/06\/13.jpg","width":1875,"height":625},{"@type":"BreadcrumbList","@id":"https:\/\/oberig-it.com\/en\/articles\/protecting-active-directory-from-ransomware-what-it-teams-can-learn-from-the-ms-and-co-op-attacks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/oberig-it.com\/en\/"},{"@type":"ListItem","position":2,"name":"Protecting Active Directory from ransomware: What IT teams can learn from the M&#038;S and Co-op attacks"}]},{"@type":"WebSite","@id":"https:\/\/oberig-it.com\/en\/#website","url":"https:\/\/oberig-it.com\/en\/","name":"Oberig IT","description":"Distribution of complex IT and information security solutions","publisher":{"@id":"https:\/\/oberig-it.com\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/oberig-it.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/oberig-it.com\/en\/#organization","name":"Oberig IT","url":"https:\/\/oberig-it.com\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/oberig-it.com\/en\/#\/schema\/logo\/image\/","url":"https:\/\/oberig-it.com\/wp-content\/uploads\/2023\/06\/logo-new.svg","contentUrl":"https:\/\/oberig-it.com\/wp-content\/uploads\/2023\/06\/logo-new.svg","caption":"Oberig IT"},"image":{"@id":"https:\/\/oberig-it.com\/en\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Oberig.disti"]},{"@type":"Person","@id":"https:\/\/oberig-it.com\/en\/#\/schema\/person\/9d804f9c469169d256ca04bc0446793d","name":"Albekova Paula","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/oberig-it.com\/en\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/267b2447d88f2254471421efc84e51964ec66e50c0a67b40f9346d135523b971?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/267b2447d88f2254471421efc84e51964ec66e50c0a67b40f9346d135523b971?s=96&d=mm&r=g","caption":"Albekova Paula"},"sameAs":["https:\/\/oberig-it.com\/"]}]}},"_links":{"self":[{"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/posts\/18668","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/users\/850"}],"replies":[{"embeddable":true,"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/comments?post=18668"}],"version-history":[{"count":2,"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/posts\/18668\/revisions"}],"predecessor-version":[{"id":18670,"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/posts\/18668\/revisions\/18670"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/media\/18616"}],"wp:attachment":[{"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/media?parent=18668"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/categories?post=18668"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/tags?post=18668"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}