A recent ransomware attack highlight the dangers of extraneous accounts sitting on your network – particularly those belonging to former employees.

Standard cyber hygiene calls for the purging of employees’ credentials accounts from a corporate network once they quit or are fired from their position. And on those occasions in which an employee dies, that same practice should apply. But according to a blog post this week from Sophos, attackers from the Nefilim ransomware gang recently infiltrated an unnamed company in part by compromising the admin account of a deceased employee who had passed away three months earlier.

According to Sophos, the Nefilim attackers exploited a vulnerability in Citrix software in order to hijack the deceased individual’s admin account. They then used the Mimikatz post-exploitation tool to swipe the credentials of an even higher-privileged domain admin account. Leveraging these privileges, the attackers then exfiltrated hundreds of GB worth of data, and then as a final flourish unleashed the ransomware, impacting more than 100 systems.

Please register to continue.

Already registered? Log in.

Once you register, you'll receive:

  • News analysis

    The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.

  • Archives

    Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.

  • Daily Newswire

    SC Media’s essential morning briefing for cybersecurity professionals.

  • Learning Express

    One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.