Cybercriminals use deceased staff accounts to spread Nemty ransomware

Researchers explore how ‘ghost’ accounts can become targets for threat actors.

Cybercriminals will often use brute-force attacks, phishing emails, and existing data dumps to break into corporate networks but there is one area that is often ignored to a company's detriment: ghost accounts. 

It is not always the case that when a staff member leaves their employ, whether due to a new job offer, changes of circumstance, illness, or in unfortunate cases, death, that their accounts are removed from corporate networks. 

This oversight is one that cybercriminals are now taking advantage of, and in a recent case, actively exploited in order to spread ransomware. 

In a case study documented by Sophos' cyberforensics group Rapid Response on Tuesday, an organization reached out after being infected by Nemty ransomware. 

According to Sophos, the ransomware -- also known as Nefilim -- impacted over 100 systems, encrypting valuable files and demanding payment in return for a decryption key. 

First detected in 2019, Nemty was a Ransomware-as-a-Service (RaaS) variant of malware that could be purchased in underground forums. In 2020, the developers took Nemty private, reserving the code's future development for select partners. 

During an investigation into the source of the infection, Sophos narrowed down the original network intrusion to a high-level administrator account. Over the course of a month, the threat actors quietly explored the company's resources, obtaining domain admin account credentials and exfiltrating hundreds of gigabytes' worth of data. 

Once the cyberattackers had finished their reconnaissance and taken everything of value, Nemty was deployed.

"Ransomware is the final payload in a longer attack," noted Peter Mackenzie, Rapid Response manager. "It is the attacker telling you they already have control of your network and have finished the bulk of the attack. Identifying you are under a ransomware attack is easy, identifying the attacker was on your network a week earlier is what counts."

The cybersecurity team asked who the high privilege administration account belonged to. The victim company said the account belonged to a former member of staff who passed away approximately three months before the cyberintrusion. 

Instead of revoking access and closing down the 'ghost' account, the firm chose to keep it active and open "because there were services that it was used for."

Sophos suggests that any ghost account allowed to stay connected to corporate resources once the user has no need of it should have interactive logins disabled, or if the account is really needed, a service account should be created in its stead. 

In addition, the team says that zero-trust measures should be implemented companywide to reduce potential attack surfaces.

In another case noted by Sophos, a new user account was covertly created on a corporate network and added to a domain admin group in Active Directory, and this account was used to delete roughly 150 virtual servers and deploy Microsoft BitLocker to encrypt existing server backups, piling on the pressure for payment. 

Update 16.03 GMT: Added detail for additional clarity concerning the two case studies.

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0