How ghost accounts could leave your organization vulnerable to ransomware

Cybercriminals can choose a variety of ways to infiltrate and compromise an organization as a prelude to ransomware. One tried and true method is to exploit an admin account. And if it’s an account that’s no longer being used by an employee but is still available, so much the better. A report released Tuesday by security provider Sophos explains how one of its customers was hit by ransomware due to a ghost account.

SEE: Ransomware: What IT pros need to know (free PDF) (TechRepublic)

The attack

An unidentified Sophos customer contacted the company after a ransomware attack affected more than 100 of its systems. Using the Nefilim (aka Nemty) ransomware, the attackers had compromised a high-level admin account a month before the actual attack, according to the Sophos Rapid Response team.

After gaining access to the account, the attackers spent the month poking around the network where they ended up stealing the credentials for a domain admin account. Upon finding the files they could hold as hostage, they were able to exfiltrate hundreds of gigabytes of data and then carry out the attack.

“Ransomware is the final payload in a longer attack,” Peter Mackenzie, manager for Sophos Rapid Response, said in the report. “It is the attacker telling you they already have control of your network and have finished the bulk of the attack. It is the attacker declaring victory.”

Sophos said that the Rapid Response team knew that criminals who use the Nefilim ransomware typically gain network access through vulnerable versions of Citrix or Microsoft’s Remote Desktop Protocol. In this case, the attackers exploited Citrix software to compromise the admin account and then used the Mimikatz password extraction tool to steal the credentials for the domain admin account.

But the real point of the story lies in the…