Security News > 2021 > January > Nefilim Ransomware Gang Hits Jackpot with Ghost Account

A Nefilim ransomware attack that locked up more than 100 systems stemmed from the compromise of an unmonitored account belonging to an employee who had died three months previously, researchers said.

According to Sophos researcher Michael Heller, this latest victim was compromised by exploiting vulnerable versions of Citrix software, after which the gang gained access to an admin account.

"The threat actor installed the file transfer and synchronization application MEGA in order to exfiltrate data; [and] the Nefilim ransomware binaries were deployed using Windows Management Instrumentation via the compromised domain admin account."

"If an organization really needs an account after someone has left the company, they should implement a service account and deny interactive logins to prevent any unwanted activity," Heller noted.

"Or, if they don't need the account for anything else, disable it and carry out regular audits of Active Directory. Active Directory Audit Policies can be set to monitor for admin account activity or if an account is added to the domain admin group."

Best practices to avoid attacks like this include only granting access permissions that are needed for a specific task or role; disabling accounts that are no longer needed; implementing a service account and denying interactive logins for any "Ghost" accounts; and carrying out regular audits of Active Directory to monitor for admin account activity or if an unexpected account is added to the domain admin group.

News URL

https://threatpost.com/nefilim-ransomware-ghost-account/163341/