TL;DR: Identity recovery is a critical line of defense as AI-driven attacks become faster and more targeted. With identity systems like Active Directory and Microsoft Entra ID as the primary targets, organizations that lack a tested, automated recovery plan face downtime costs that can reach hundreds of millions. Prevention still matters, but the organizations that fare best are the ones that have already rehearsed what happens after an attack gets through.
Ransomware attacks are becoming faster and more automated, making identity recovery even more imperative in determining how much damage spreads and how long outages last.
The Verizon Data Breach Investigations Report shows that ransomware appeared in 44% of breaches in 2025, driven by a surge in AI-assisted attacks and a growing number of active threat groups. According to Microsoft, organizations face an estimated 600 million identity attacks every day, a volume that no one can defend against through prevention alone. The organizations that fare best are the ones with the most rehearsed, automated path to recovery and a dedicated identity threat detection and response (ITDR) capability in place before an attack begins.
The rise of AI-powered ransomware
Artificial intelligence has transformed attacker economics, reach, and speed. What once required specialized expertise can now be executed by less skilled operators using off-the-shelf tools.
AI-powered social engineering has become a primary entry point for ransomware attacks. Help desks are compromised by individuals who use realistic contextual information and convincing impersonation to bypass verification processes. Voice and video cloning have reached a level of fidelity that is difficult to distinguish from legitimate communications.
Phishing has also evolved. Messages are targeted and tailored to the recipient’s industry and role, arriving at volumes that no amount of cybersecurity training can fully address.
Once an attacker identifies a target, AI accelerates every step of what follows. Bots handle all the reconnaissance work, analyzing network data to detect vulnerabilities, mapping unpatched systems, and flagging high-value assets. Once inside, AI-assisted lateral movement lets attackers spread faster than traditional detection methods can respond.
Speed and expertise are no longer barriers to entry, making identity recovery mandatory. Enterprises should assume threat actors will get inside and a ransomware incident will happen.
Active Directory and Microsoft Entra ID as key targets
Attackers target identity systems because they are the keys to the kingdom, the most direct path to the data and intellectual property that is worth a ransom. Microsoft Active Directory (AD) remains the number one target in enterprise ransomware attacks, because it is deeply embedded in enterprise environments and in many cases, not as tightly managed as it should be.
When AD is down, organizations lose access to applications, databases, and files. Recovery of other systems can’t begin until identity is restored, since permissions and authentication depend on it. Put simply, if organizations can’t recover Active Directory, they can’t recover anything else.
And every hour counts. According to Forrester, AD downtime costs organizations $730,000 per hour on average (based on a 5,000-user organization). With manual AD recovery times ranging from hours to weeks following a ransomware attack, losses can easily climb into the millions. And for larger organizations with tens or hundreds of thousands of users, the costs skyrocket into the hundreds of millions.
The threat is expanding into cloud environments as well.
Microsoft’s Digital Defense Report found that over 40 percent of attacks now involve hybrid components, targeting both on-premises and cloud environments. As organizations continue to migrate workloads and users to Microsoft Entra ID, that number can only be expected to grow. While native capabilities like the Entra ID recycle bin provide limited recovery for deleted objects, they do not capture many critical changes such as modifications to groups, attributes, or conditional access policies, leaving significant gaps in identity recovery coverage.
Microsoft’s recent introduction of Entra Backup & Recovery in public preview is a signal that Entra ID recovery is becoming a baseline industry expectation. Even so, native tooling is generally designed for targeted, short-term rollback rather than large-scale recovery across complex hybrid environments. Organizations need longer retention, full object and relationship fidelity, and coordinated recovery spanning Active Directory and Entra ID, requiring purpose-built identity recovery solutions that go beyond what built-in capabilities currently provide.
Enterprise-grade recovery demands more than point-in-time rollback. It requires granular recovery, comprehensive object coverage, and the ability to restore identity systems at scale after a major attack or operational failure. Organizations operating in hybrid environments need unified visibility and recovery across both domains, not just one.
Why prevention alone is no longer enough
Prevention is important, but it must be paired with tested and proven AD and Entra ID recovery because, at current attack volumes and sophistication, some attacks will succeed.
IBM estimates that the average cost of a ransomware incident exceeds $5 million – an all-in number that includes not just the ransom payment, but downtime, overtime, consulting, legal fees, and reputational damage. For large enterprises, the cost can reach hundreds of millions.
If the organization is not prepared for a ransomware attack, identity recovery is chaos. Recovery calls can include dozens of participants rotating in and out, all with competing priorities. The decision to initiate recovery, which should be straightforward, becomes contentious.
Strategies for identity recovery
Defending against ransomware starts with building the capacity to recover from it. And that means investing in automation, testing, and strategies that reflect how attacks actually unfold. Three principles should guide that effort.
1. Automate recovery
Manual hybrid AD recovery does not scale. Even in small environments, restoring AD domain controllers by hand can take hours. In distributed, global environments, that timeline quickly becomes unmanageable.
Automation reduces recovery time dramatically and removes unnecessary human dependency. It lets teams redirect attention to other priorities instead of monitoring each step of a lengthy manual procedure. When recovery is predefined and automated, it can be executed decisively without deliberation in the middle of a crisis.
2. Recover in phases
A cyberattack is not like a physical disaster. A tornado or earthquake may destroy infrastructure in a single location. A cyberattack spreads enterprise-wide. The most effective recovery strategies prioritize main data centers, typically headquarters where business applications reside, and recover remote domain controllers in subsequent phases as different sites come back online instead of waiting for a complete Active Directory forest recovery.
Not every incident requires a full AD forest recovery at all. In some cases, attackers make targeted changes like resetting every user password in the directory, locking the entire organization out of its own environment. Granular, object-level recovery lets organizations restore from backup and reverse those changes quickly without a full recovery operation.
The alternative – manually resetting each password and notifying every affected user – is a multi-day effort, assuming you can get back into the Active Directory forest at all. And even then, a persistent attacker can simply reset the passwords again, turning recovery into an exhausting cycle of manual remediation that further cripples the organization.
The most capable identity recovery platforms allow administrators to compare the current state of the directory against a known-good state, identify exactly what changed and when, and selectively roll back only the affected objects without touching everything else.
3. Test regularly
Having a recovery solution is not enough. Deploying it is not enough. Organizations must practice identity recovery regularly with the people responsible for executing it.
Quest’s ITDR research found that only 24 percent of organizations test their identity recovery at least every six months, and another 24 percent never test at all. Organizations often perceive testing as too burdensome, involving too many people and taking too much time.
But now with automation, recovery exercises can be run in isolated environments across different scenarios and with different team members, reducing the burden substantially. Regular testing also reduces cyber insurance premiums by demonstrating a lower risk of prolonged downtime, supported by documentation.
Identity recovery can’t wait
AI is helping attackers make precise calculations about when and how to deploy ransomware for maximum impact. Cybercriminals now have access to the same information about vulnerabilities and downtime costs that security teams do, and they’re using it to determine exactly when organizations will be forced to pay.
Security teams that invest in tested, automated AD and Entra ID recovery before an attack are better positioned to survive one and to deny attackers the leverage they’re counting on.
