Hackers Spread Nemty Ransomware through the Accounts of Deceased Company Employees

Cybercriminals often use brute-force attacks, phishing emails, and existing data dumps to infiltrate corporate networks, but there is another method that companies often ignore - the use of "ghost accounts." According to experts from Sophos Rapid Response, hackers are using the accounts of deceased employees of companies to distribute ransomware.

In one case, operators of the ransomware Nemty (also known as Nefilim) infected more than 100 systems, encrypting valuable files and demanding a ransom in exchange for a decryption key. While investigating the source of the infection, Sophos identified the original network intrusion via the administrator account. For a month, attackers secretly explored the company's resources, stealing domain administrator credentials and extracting hundreds of gigabytes of data. At the end of the cyberattack, the criminals stole everything of value and deployed the ransomware Nemt

As information security specialists found out, the administrator's account belonged to a former employee who died about three months before the cyber attack. Rather than revoke access and close the "ghost account," the firm decided to keep it active and open "because there were services for which it was used

Experts recommend disabling interactive authorization for any "ghost account" that is allowed to remain connected to corporate resources when the user does not need it, or if the account is really needed, create another account instead.

Previous Post Next Post