Why Active Directory is ransomware’s primary target

Active Directory sits at the centre of nine out of ten ransomware incidents. The National Cyber Security Centre recorded 204 nationally significant incidents in the year to September 2025, a 130% increase from the previous year. Ransomware remains the most pressing cyber threat to UK organisations. When attackers compromise Active Directory, they compromise everything that depends on it. In most organisations, that means everything.

The recovery gap most organisations ignore

Traditional backups protect data. They do not protect the identity infrastructure as recovery demands. Active Directory outages can cause financial losses of up to $730,000 per hour, according to Commvault research.

The forest recovery process Microsoft publishes requires between 50 and 100 manual steps. Each step demands precision. Domain controller roles must be seized in the correct sequence, RID pools require change and trust relationships need validation. Most IT teams practice this rarely, if ever. Attempting it under pressure introduces a risk that few organisations can afford to take.

Backup replication creates another problem. Malicious changes to Active Directory replicate across domain controllers within minutes. Attackers change permissions, escalate privileges, and create persistence mechanisms that spread through the directory before detection occurs. Restoring from a backup often restores the compromise along with the data.

Commvault’s approach to identity resilience

Commvault announced its Cloud Unity platform at SHIFT 2025 in November of the same year. The platform unifies data security, cyber recovery, and identity resilience on a single foundation. The identity resilience portfolio addresses Active Directory protection through four integrated capabilities that work together rather than as point solutions.

Real-time detection tracks identity changes across users, groups, and policies. Unauthorised privilege escalations, impossible travel patterns, and modifications to Tier 0 assets trigger immediate alerts. The system integrates vulnerability assessment with anomaly detection, providing visibility that traditional backup approaches cannot. Automated logging maintains comprehensive audit trails showing who made what change, when, and from where. Forensic investigation requires this detailed history. Creating it manually during an active attack proves impossible.

One-click rollback reverses unauthorised changes directly from the change log. Administrators do not need to locate recovery points or determine which backup contains the last known good state. The platform uses AI to determine the exact, clean point, eliminating guesswork from recovery decisions.

Automated forest recovery orchestrates the rigid Microsoft recovery process that defeats most manual attempts. Auto-generated runbooks handle Flexible Single Master Operations (FSMO) role seizure, domain controller promotions, and trust relationship validation. The SaaS-delivered control plane remains accessible even when your Active Directory infrastructure is completely down. This solves the recovery paradox, where tools require the very infrastructure they need to restore.

Cleanroom Recovery provides an on-demand, cloud-based isolated environment for testing recovery without risk of reintroducing threats into production networks. Organisations can validate AD health, test recovery procedures, and conduct forensic analysis without compromising live systems. This transforms disaster recovery testing from a theoretical exercise into practical verification.

Commvault’s platform has earned sustained recognition from industry analysts for its approach to data protection and cyber recovery. IDC named Commvault a Leader in its Worldwide Cyber-Recovery 2025 Vendor Assessment. The unified platform approach reduces total cost of ownership by integrating identity resilience with data protection, eliminating the need for separate point solutions.

How Softcat delivers identity resilience

Softcat holds Elite Partner status with Commvault, the highest tier available. At SHIFT 2025 in New York, we also received recognition as EMEA Champion at Commvault’s inaugural Fearless Awards. This partnership combines deep technical expertise with the commercial insight that UK organisations need when infrastructure decisions carry business-critical weight.

Our approach treats identity infrastructure with the same rigour as data protection. Active Directory recovery is not a backup problem. It is an operational resilience problem that demands dedicated tooling and tested processes. We help you assess your current recovery posture and design resilience architectures using Commvault’s identity protection capabilities.

Softcat holds positions on multiple public sector frameworks, enabling public sector organisations to buy secure technology solutions where identity failures directly impact service delivery.

Building recovery confidence

Active Directory sits at the heart of enterprise operations. Protecting it requires more than backup schedules and retention policies. It requires identity resilience built specifically for the way attackers now target authentication infrastructure. The organisations that recover in hours share one trait. They tested their recovery processes before an incident arrived.

Whether you are reviewing your AD recovery readiness or stress-testing resilience plans, Softcat can help. We will assess where you stand and build a practical path forward. Click here to speak to our Sales team or connect with your Account Manager.