It's 9:47 AM on a Tuesday. Your help desk gets a call from someone claiming to be Sarah Chen, VP of Operations. She's locked out of her laptop right before a board presentation and needs her multi-factor authentication (MFA) reset immediately. The caller has Sarah's employee ID, knows her manager's name, references a project she's working on.
Your technician follows the verification script. Everything checks out. Within minutes, a new authentication device is enrolled.
Except the caller isn't Sarah Chen.
By 10:15 AM, the attacker has domain admin privileges. Over the next 48 hours, they create backup admin accounts, modify group policies, and map your entire environment—backup repositories, VMware infrastructure, critical systems, everything. Thursday at 2 AM, they encrypt 400 virtual machines simultaneously.
Friday morning, the factories won't run. Finance systems are dark. Your backup infrastructure—designed to save you in exactly this scenario—is also encrypted because it was accessible through the same credentials now in the attacker's hands.
The CFO asks: How long until we're back up?
The answer: Weeks. Possibly a month.
This is the documented playbook of adversary groups like Scattered Spider and variations of it have paralyzed manufacturers, healthcare systems, and critical infrastructure over the past two years. The question isn't whether your organization will face this attack. It's whether your architecture can absorb it.
Two Possible Timelines
When your security team discovers Sarah Chen's account was compromised, you face one of two futures:
Timeline A - Current architecture: Your backups are accessible through the same credentials the attacker controls. They're encrypted along with production.
Week one: Forensic validation to find a clean snapshot.
Week two: Manual Active Directory forest recovery—reconstructing group policies, validating trust relationships, hunting for persistence mechanisms. Your AD team manually rebuilds trust relationships while your CEO explains to analysts why revenue guidance is being revised downward.
Week three: Still rebuilding while suppliers can't access your portal and customers start finding alternatives.
Week four: Systems finally come back online. The CFO calculates losses in the tens of millions. The board wants answers about why recovery took so long.
Timeline B - Resilient architecture: Your backups are logically air-gapped from production credentials. Attackers can't reach them. You have immutable recovery data and automated workflows.
Day one: Validate blast radius and confirm the last clean snapshot.
Day two: Restore identity infrastructure through orchestrated recovery.
Day three: Bring dependent systems online.
Day four: Critical operations resume. Total impact: contained, measurable, manageable.
The difference isn't luck. It's architecture—decisions made before the attack that determine whether you recover in days or weeks.
Why Identity Systems Are the Primary Target
These kinds of attacks work because identity is foundational to IT infrastructure. When authentication fails, everything dependent on it fails too. Finance can't process payroll. Manufacturing execution systems can't verify credentials to production controllers. Supply chain portals lock out partners.
Rebuilding an Active Directory forest manually takes weeks: validating trust relationships, reconstructing group policies, recovering service accounts, ensuring no malicious persistence remains. Every day identity stays down is another day operations stay frozen.
But even that assumes you have clean backups to work from. When attackers also compromise your backup infrastructure—which the Verizon 2024 Data Breach Investigations Report found in 94% of ransomware attacks that attempt it—every restore point becomes suspect. Which snapshot is clean? Which contains the attacker's backdoor?
The one-two punch: take down what you need to operate (identity) and poison what you need to recover (backups). The Verizon report also found that stolen credentials were used as the entry point in 20% of breaches, making it one of the top three attack vectors. IBM's 2024 Cost of a Data Breach Report puts the global average breach cost at $4.88 million, but some incidents involving prolonged identity recovery have cost organizations more than $300 million.
The Scattered Spider Playbook
Scattered Spider (also tracked as UNC3944 and Octo Tempest) perfected a multi-stage approach that exploits vulnerable identity systems and the integrated design of most enterprise environments. Here’s how they do it:
Phase 1 - Social engineering for initial access: No zero-days required. Threat actors call help desks impersonating employees, use SIM swaps to intercept MFA codes, or deploy phishing kits that steal session cookies and bypass multi-factor authentication. The initial access uses legitimate authentication mechanisms, so technical defenses don't trigger.
Phase 2 - Immediate targeting of identity systems: Once inside, intruders go straight for Okta, Entra ID, or Active Directory. They add rogue admin accounts, register attacker-controlled MFA devices, modify directory permissions. These changes are subtle—an extra service account here, a group policy tweak there. Security teams often don't notice for days.
Phase 3 - Reconnaissance using trusted tools: Instead of malware that triggers alerts, threat actors weaponize tools already in your environment. PowerShell scripts. Cloud management consoles. Remote access tools like AnyDesk. Their activity blends with normal IT operations.
Phase 4 - Mass encryption via virtualization: They compromise VMware vCenter or cloud hypervisors to control entire virtualized environments, deploying ransomware across hundreds of systems simultaneously—turning Tuesday's single compromised account into Friday's enterprise-wide encryption event.
By the time ransomware deploys, they've already established persistence in your identity systems and positioned themselves to compromise recovery infrastructure. The encryption is just the announcement of a well-executed exploit.
What Timeline B Requires
Switching from Timeline A to Timeline B requires three capabilities, implemented before the breach:
Immutable backups attackers can't reach: If Tuesday's help desk call compromised your domain admin credentials, would those credentials reach your backup infrastructure? For most organizations, the answer is "yes": backups sit on the same network, accessible through the same directory services. So you must implement logical air-gapping and immutable controls to separate your backup infrastructure from production credentials. So when attackers encrypt your environment, recovery data stays intact.
Orchestrated identity recovery: If Sarah Chen's compromised account led to full AD compromise, manual forest recovery would take your team weeks. Automated orchestration restores Active Directory, Entra ID, and Okta to a known-good state in hours. Authentication comes back online and dependent systems follow.
Continuous validation before you need it: Most organizations start checking backups for compromise after the attack. If you scan continuously, you always know your last clean snapshot. When ransomware hits, you're not spending weeks on forensic validation—you already know what's safe.
Every organization that recovers quickly did the same thing: built these capabilities before they needed them.
Get on Timeline B With Rubrik
Rubrik's platform was built for the scenario that opened this article—when attackers compromise both identity and backups:
Immutable, logically air-gapped backups stay protected even when attackers gain full domain admin control. They can't reach it through compromised credentials, can't encrypt it, can't delete it.
Orchestrated recovery for Active Directory, Entra ID, and Okta eliminates weeks-long manual rebuilds. The platform restores identity infrastructure to a known-good state in hours through automated workflows.
The Preemptive Recovery Engine (PRE) continuously scans backup snapshots for indicators of compromise. When you need to recover, PRE has already analyzed your backup history, detected malicious Active Directory changes like the rogue admin accounts Scattered Spider creates, identified suspicious group policy modifications, and marked the last clean recovery point. You're not guessing—you know exactly what's compromised and what's safe.
Even if the Tuesday morning attack succeeds and ransomware deploys by Friday, you're not gambling on backup integrity or facing weeks of manual AD reconstruction. You have trusted recovery data, a validated clean restore point, and orchestrated workflows to get back online in days, not weeks.
The Architecture Decision
Next Tuesday when your help desk gets that call, your recovery timeline is already determined by the architecture decisions you've made.
Scattered Spider and similar groups continue refining techniques and targeting critical infrastructure. The attacks that worked will be tried again. The question isn't whether sophisticated attacks will succeed—some will, despite your best prevention efforts.
Your architecture determines the outcome: manageable incident or existential crisis.
Timeline A or Timeline B. Weeks of paralysis or days of controlled recovery. The decision is yours, but make it before Tuesday's call comes.
Learn how Rubrik enables rapid recovery from identity-focused attacks.