There’s no end to what malicious actors would resort to in order to infiltrate their targets. Even the dead are not safe and their accounts can be used to compromise target organizations. This was discovered thanks to a Sophos Rapid Response case study
The abrupt passing of staff members result in unexpected shifts in workflow due to a lack of an immediate replacement. In a morbid fashion, instead of being deactivated, the deceased staff member’s account remains active until the replacement can be found. This can happen for critical systems which malicious actors can take advantage of. This was a real case for a company that reached out to Sophos about their ransomware ordeal.
The company was infected by the Nefilim ransomware (aka Nemty) which affected over 100 systems. The ransomware of course encrypted some important files and the actors demanded payment. Sophos’ Rapid Response Team conducted the investigation which led to the source being used by a high-privileged account. The account belonged to a staff member that recently passed away. The account wasn’t deactivated because it was used for several important systems.
Since the company was apparently protected using Sophos security, the culprits may have gotten access through phishing and as per Sophos, did not have their Intercept X protection in place that could have stopped Nefilim.
The report did not mention that the ransomware culprit had actual knowledge that the account owner has passed away and purposely targeted it, but companies should be prepared for such a situation and create service accounts for their staff’s respective roles. The real accounts of passed or resigned users should quickly be deactivated and that periodic user audits should be conducted by the company, the results of which are to be used to beef up security.