Security News > 2021 > January > Ghost hack – criminals use deceased employee’s account to wreak havoc
The Sophos Rapid Response team has just written up a recent case study of a network attack that involved the account of a sysadmin who had died three months before.
The account of the late employee wasn't shut down because various internal services had been configured to use it, presumably because the deceased had been involved in setting up those services in the first place.
Closing down the account, we assume, would have stopped those services working, so keeping the account going was probably the most convenient way of letting the dead person's work live on.
Given that the dead person was not logging into and actively using the account any more, no one was there to notice that the account wasn't being used in the expected way.
In this case, the active use of the account of a recently deceased colleague ought to have raised suspicions immediately - except that the account was deliberately and knowingly kept going, making its abuse look perfectly normal and therefore unexceptionable, rather than making it seem weirdly paranormal and therefore raising an alarm.
For a list of the Indicators of Compromise for this particular attack, including the Netfilim ransomware and the MEGA file uploading tools, please see the SophosLabs GitHub account.