DoraPulse
All errors
RANS-ADCybersecurity

Ransomware / Active Directory Compromise

Ransomware has encrypted critical systems or threat actors have gained control of the Active Directory / Identity Provider, causing widespread authentication failure and data inaccessibility across the organisation.

Root Cause & Remediation

Phishing-delivered ransomware payload, exploitation of an unpatched vulnerability (e.g. PrintNightmare, ProxyShell), or lateral movement from a compromised privileged account. AD compromise typically follows credential harvesting from an endpoint or a supply-chain attack.

Remediation steps

  1. 1IMMEDIATELY isolate affected systems from the network — disconnect, do not power off (preserve memory forensics).
  2. 2Activate the Incident Response retainer and notify your CISO and legal team within minutes.
  3. 3Notify the competent authority — this is an automatic DORA MAJOR incident. Your 4-hour clock started at the moment of detection.
  4. 4Bring up a clean out-of-band communication channel (avoid corporate email which may be compromised).
  5. 5Begin recovery from verified, air-gapped backups. Do not trust any credentials from the compromised directory.

DORA Risk Matrix

Typical classification
MAJOR INCIDENT
Likelihood
Medium
Blast radius
Organisation-wide. Both client-facing services and internal operations are impacted. Data confidentiality, integrity, and availability are all threatened.
CIF impact
All functions dependent on Active Directory authentication (essentially all internal services) fail simultaneously. Data integrity is directly compromised.
Analyst notes
This is an automatic MAJOR incident under Criterion A (Art. 8(1)(b), Reg. 2024/1772): malicious cyberattack combined with data integrity loss. There is no threshold calculation required — report immediately. Also triggers mandatory notifications under GDPR Art. 33 and NIS2 if applicable.

Security Context

  • Result of Malicious Cyberattack: Confirmed adversarial action (ransomware, intrusion, exfiltration).
  • Data Integrity Impacted: Records altered, corrupted or lost beyond recoverable state.
  • Reputational Impact: Relevant media coverage, significant volume of client complaints, or proactive contact from a competent authority.

Ready to classify this incident?

Use the DoraPulse Triage Calculator to instantly determine if this event breaches DORA materiality thresholds and generate a ready-to-file regulatory draft for your internal compliance team.

Open Triage Calculator — Pre-filled for Ransomware / Active Directory Compromise