"Dead System Admin's Credentials Used for Ransomware Attack"
The security firm Sophos released a report discussing the use of a deceased system administrator's credentials by the operators of the Nefilim ransomware to plant crypto-locking malware. Using these credentials, the Nefilim ransomware operators infected about 100 vulnerable systems. Nefilim, also known as Nemty, is a relatively new ransomware strain that has been used in attacks targeting organizations with unpatched or inadequately secured Citrix remote access technology. Nefilim ransomware was used in attacks against the appliance maker Whirpool and the Australian shipping giant Toll Group. In a recent case study about this ransomware variant, the operators had compromised the account of a system administrator who had died three months previously. The admin account, with its high-level access, allowed the gang to steal credentials for other accounts and a large amount of data before launching the Nefilim ransomware and locking files. This article further discusses the history of Nefilim ransomware and the operators' use of a dead system administrator's credentials to launch an attack against an organization.
BankInfoSecurity reports "Dead System Admin's Credentials Used for Ransomware Attack"