Security News > 2021 > January > How ghost accounts could leave your organization vulnerable to ransomware
Active accounts for people who have left your organization are ripe for exploitation, according to Sophos.
A report released Tuesday by security provider Sophos explains how one of its customers was hit by ransomware due to a ghost account.
After gaining access to the account, the attackers spent the month poking around the network where they ended up stealing the credentials for a domain admin account.
Asked who owned the exploited account, the customer found that the account had belonged to an employee who had died three months before the initial move by the attackers.
You can set Active Directory audit policies to monitor for admin account activity and determine if an account is added to the domain admin group.
"No account with privileges should be used by default for work that doesn't require that level of access. Users should elevate to using the required accounts when needed and only for that task."