Sophos Report Finds Hackers Can Breach Active Directory in Hours: Are Your Data Protections Doing Enough?

OCTOBER 25TH, 2023

Arcserve partner Sophos recently posted its midyear Active Adversary report and noted that ransomware hackers took a median time of just 16 hours to gain access to Microsoft Active Directory

With Active Directory (AD) in use by nearly 75,000 customers and holding a market share of 24 percent, this news should be a call to action for every IT pro whose organization relies on this software.

The report says that hackers try to move laterally to AD servers as soon as possible once they gain access. An AD server is usually a network’s core component and can control identity and policies across your organization. Once they gain access, hackers can leverage accounts with admin privileges, create new accounts, and disable legitimate accounts. Even worse, they can use the AD servers’ role as a trusted source to deploy malware. 

Ransomware Protection Is Priority One, But Not the Only One

The report found that 68 percent of attacks involved ransomware. Network breaches came in a distant second at 18 percent. It also notes that most AD servers are only protected with Microsoft Defender—or not at all. Hacker groups targeting AD with widespread—and highly successful—ransomware families like LockBit 2.0 and BlackMatter spotlight the need for better ways to protect AD from ransomware.

A Cybersecurity and Infrastructure Security Agency (CISA) advisory says that LockBit was the most deployed ransomware variant worldwide in 2022 and is still going strong in 2023. CISA recommends implementing mitigations to improve your organization’s defenses against this ransomware operation proactively. Needless to say, those defenses should protect against all ransomware variants. 

But there are plenty of other threats—from internal attacks by a disgruntled employee to hardware failures to natural disasters. So, it makes sense to address all of these threats to safeguard your AD environment and your precious data. That’s why data resilience matters most. 

Data Resilience Delivered

Arcserve’s Unified Data Protection (UDP) solution is built on three pillars: prevent, protect, and recover. 


Arcserve UDP features powerful prevention capabilities with integrated Intercept X Advanced from Arcserve partner and leading cybersecurity solutions provider Sophos. This security solution employs deep learning to predictively prevent attacks, detecting known and never-before-seen threats and unknown malware without relying on signatures. 

Sophos Intercept X Advanced also features WipeGuard, which stops malicious processes and protects the master boot record (MBR) from being encrypted. It also prevents the overwriting of critical structures. And it includes CryptoGuard, which monitors your system for processes that begin encrypting files. If CryptoGuard detects behavior like ransomware, it stops the detected running processes and restores the impacted files.


For your Active Directory deployment, Arcserve UDP delivers protection against data loss and extended downtime. That includes on-premises protection for Microsoft 365 workloads on-premises. Arcserve UDP also supports immutable storage, a write-once-read-many-times format that ensures the stored data can’t be altered or deleted, even by admins. So your backups are always protected—whether on-premises or off-premises—using either Arcserve OneXafe immutable network-attached storage or the supported Amazon Web Services (AWS) Object Lock in the cloud. 

Arcserve UDP furthers data protection with simplified authentication and access control that relies on centralized user account management. Authentication features include multi-factor authentication (MFA) and role-based access controls (RBAC) that keep unauthorized users out.


If (or more likely, when) the time comes that you need to recover your data, Arcserve UDP reduces your downtime from days to minutes and validates your recovery time and recovery point objectives (RTOs/RPOs) with included Arcserve Assured Recovery software. Assured Recovery ensures reliable recovery with fully automated and non-disruptive disaster recovery (DR) testing. You can also schedule automated disaster recovery tests, test business-critical systems, applications, and data in a sandbox, and test backups in real time. 

Arcserve UDP replicates backup data by saving it as recovery points. Each time Arcserve UDP performs a successful backup, a point-in-time snapshot image of the backup is created, enabling you to locate and specify precisely which backup image you want to restore.

Another vital feature of Arcserve UDP is orchestrated recovery. Orchestrated recovery gives you a systematic, coordinated process for shifting critical IT systems, data, and applications from on-premises infrastructure—such as Active Directory—to other resources like Arcserve Cloud Hybrid disaster recovery as a service (DRaaS). Arcserve’s effective orchestration capabilities help you manage complex tasks and workflows, simplifying recovery.

Protect Your Active Directory Deployment

Arcserve technology partners can guide you to the best solutions for your needs. That includes your on-premises Active Directory deployment and any other data protection concerns you need to address.

Find an Arcserve technology partner.

To learn more about Arcserve UDP, request a demo or check out our 30-day free trial offer.

You May Also Like