Ghost accounts are increasingly being used in cyberattacks

Zero-day attack
(Image credit:

By failing to keep close tabs on “ghost” or inactive account credentials, organizations are leaving themselves open to cyberattacks according to new research from Sophos.

The cybersecurity firm's Rapid Response team has published new findings related to how ghost accounts were used to give cybercriminals a way into corporate networks during two recent attacks.

The first attack, which impacted more than 100 systems at the targeted firm, used the Nefilm or Nemty ransomware to find and exfiltrate hundreds of gigabytes of data. However, Sophos responders were able to trace the initial intrusion to an admin account with high level access that the attackers had compromised more than four weeks before encrypting the company's systems with ransomware.

In this case the ghost account belonged to an employee who had passed away three months prior to the attack. However, the firm had kept the account active even after the employee's passing because it was used for a number of services.

Ghost accounts

In the second, unrelated attack, Sophos responders discovered that cybercriminals had created a new user account and added it to the targeted organization's domain admin group in Active Directory.

By using this new domain admin account, the attackers were able to delete approximately 150 virtual servers and encrypt the server backups using Microsoft Bitlocker without setting off any alerts.

Manager of Sophos Rapid Response Peter Mackenzie provided further insight in a press release on how organizations can prevent ghost accounts from being used against them, saying:

“Staying on top of account credentials is basic, but critical cybersecurity hygiene. We see far too many incidents where accounts have been set up, often with considerable access rights, that are then forgotten about, sometimes for years. Such ‘ghost’ accounts are a prime target for attackers. If an organization really needs an account after someone has left the company, they should implement a service account and deny interactive logins to prevent any unwanted activity. Or, if they don’t need the account for anything else, disable it and carry out regular audits of Active Directory.”

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.