Ride the Lightning

Dead Employee’s Account Used in Ransomware Attack

January 28, 2021

Naked Security reported on January 26 that the Sophos Rapid Response team has written up a recent case study of a network attack that involved the account of a sysadmin who had died three months before.

The account of the late employee wasn't shut down because various internal services had been configured to use it, presumably because the deceased had been involved in setting up those services.

If they had closed the account, it would have stopped those services from working. It appears that keeping the account going was a matter of convenience. Not good.

Because the deceased employee was not logging into and actively using the account, no one noticed that it wasn't being used in the normal way.

Cybercriminals adore orphaned or abandoned accounts, which lessen their risk of being discovered.

The active use of the account of a recently deceased colleague ought to have raised suspicions immediately – except that the account was deliberately kept alive. Nothing happening with the account caused any alerts. The consequence was contracting ransomware.

The attackers weren't discovered until significant damage had been done, after they had unleashed the Netfilim ransomware (also known as Nemty) on the victim's network and brought more than 100 computers to a standstill by encrypting all their data.

When Sophos Rapid Response began investigating, they realized that the criminals had access to the network for a full month.

Sophos discovered that the data exfiltration in this attack was already finished by Day 24 of the criminals' 31-day infiltration – the attackers had used the well-known encrypted New Zealand-based cloud service MEGA to steal and store the victim's data.

For two weeks before that, the criminals had been looking quietly around the network, setting up additional accounts of people that didn't exist at all. One of the reasons the crooks take their time before adding their own accounts, directories, registry entries, programs and services is that they like to get a feel for your network and your nomenclature first, so their unauthorized additions don't seem unusual and draw attention.

The attackers also like to see what system administration and hacking tools you have on your network, so that they can "borrow" ones that exist already, thus raising less suspicion than if they downloaded their own favorites – a technique known as "living off the land."

Lesson learned: If an organization really needs an account after someone has left the company (or died), they should implement a service account and deny interactive logins to stop any unwanted activity. If they don't need the account, they should disable it and carry out regular audits of Active Directory. Active Directory Audit Policies can be set to monitor for admin account activity or if an account is added to the domain admin group.

The outcome of the ransomware attack was not reported, but I'm guessing it wasn't pretty. It's amazing how fast some businesses cut an employee who's left from payroll and how slow they are to delete someone's account on the network.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson