Cybercriminals can choose a variety of ways to infiltrate and compromise an organization as a prelude to ransomware. One tried and true method is to exploit an admin account. And if it’s an account that’s no longer being used by an employee but is still available, so much the better. A report released Tuesday by security provider Sophos explains how one of its customers was hit by ransomware due to a ghost account.

SEE: Ransomware: What IT pros need to know (free PDF) (TechRepublic)

The attack

An unidentified Sophos customer contacted the company after a ransomware attack affected more than 100 of its systems. Using the Nefilim (aka Nemty) ransomware, the attackers had compromised a high-level admin account a month before the actual attack, according to the Sophos Rapid Response team.

After gaining access to the account, the attackers spent the month poking around the network where they ended up stealing the credentials for a domain admin account. Upon finding the files they could hold as hostage, they were able to exfiltrate hundreds of gigabytes of data and then carry out the attack.

“Ransomware is the final payload in a longer attack,” Peter Mackenzie, manager for Sophos Rapid Response, said in the report. “It is the attacker telling you they already have control of your network and have finished the bulk of the attack. It is the attacker declaring victory.”

Sophos said that the Rapid Response team knew that criminals who use the Nefilim ransomware typically gain network access through vulnerable versions of Citrix or Microsoft’s Remote Desktop Protocol. In this case, the attackers exploited Citrix software to compromise the admin account and then used the Mimikatz password extraction tool to steal the credentials for the domain admin account.

But the real point of the story lies in the compromised admin account. Asked who owned the exploited account, the customer found that the account had belonged to an employee who had died three months before the initial move by the attackers. The account was kept active because it was still used for certain services. As a result, the Sophos team had to figure out which aspects of the account were legitimate and which were now malicious.

Lessons learned

Keeping active an account for someone no longer with the company was the first mistake. If you truly need such an account for administrative reasons, you should change it into a service account and deny interactive logins to prevent any unwanted activity. If you no longer need the account for anything else, disable it and run regular audits of Active Directory.

You can set Active Directory audit policies to monitor for admin account activity and determine if an account is added to the domain admin group. Even further, think twice before setting up an account to be a domain admin.

“People assume because a person is an executive or is in charge of the network that they need to be using a domain admin account,” Mackenzie said. “No account with privileges should be used by default for work that doesn’t require that level of access. Users should elevate to using the required accounts when needed and only for that task.”


To protect your organization from being compromised due to ghost accounts, Sophos offers the following advice:

  • Only grant the access permissions needed for a specific task or role.
  • Disable accounts no longer needed.
  • If you need to keep an account active after the original owner has left the organization, implement it as a service account and deny interactive logins.
  • Carry out regular audits of Active Directory.
  • Have a robust security solution in place, ideally with anti-ransomware technologies.

Michael Borgers, Getty Images/iStockphoto