To all the public and private companies operating around the world, you better keep a tab on credentials related to your dead staff, those who have left the company or are on a long leave. Otherwise, the accounts of such people are on the verge of being used by those spreading Nemty Ransomware.
Yes, what you are reading is absolutely correct as Sophos Rapid Response Group has detected two instances where the credentials of the dead staff where being used to spread ransomware.
Technically dubbed as Ghost accounts, such credentials belong to those left the company for a new job offer, or are on a prolonged leave like maternity leave, unfortunate case of death because of illness, accident or Corona and such.
Sophos found in its research that hackers spreading Nemty Ransomware under the ‘As-a-service’ scheme are using ghost accounts to induce the file encrypting malware into the network that later helps steal a portion of data from the database until a ransom is paid
What’s concerning about this ransomware incident is that the hackers are seen creating accounts on corporate network using domain admin credentials and then deleting the virtual servers and encrypting the server backups- hence putting pressure on the victim to bow down to the ransom demands.
So, all your CIOs and CTOs out there, please see that the ghost accounts are audited at specific intervals and are deleted if the need for them doesn’t arise in the future.
