Skip to content
Naked Security Naked Security

Ghost hack – criminals use deceased employee’s account to wreak havoc

Most companies are quick to remove ex-staff from the payroll, but often not so quick to shut down their network access.

Many, if not most, organisations will tell you that they have processes and procedures that they follow when employees leave.

In particular, most companies have a slick and quick procedure for removing ex-staff from the payroll.

Firstly, it doesn’t make economic sense to pay someone who is no longer entitled to the money; secondly, many countries require employers to withhold payroll taxes automatically, to pay those taxes in promptly, and to account for them accurately.

Why get into trouble with the tax office over former employees when you can have a simple “staff leaving” checklist that will help to keep you compliant and solvent at the same time?

Unfortunately, we’re not always quite so switched on (or, to be more precise, not quite so good at switching things off) when it comes to ex-staff and cybersecurity.

History is full of stories of havoc wreaked by ex-employees who maintained both their grudges and their passwords or access tokens after being fired or laid off.

Some of these revenge attacks have acquired legendary status, like the man from the splendidly named town of Maroochydore in Maroochy Shire in Queensland, Australia, who used insider information and a purloined computer to “hack” the council’s waste management system.

This crook quite literally, if you will pardon the expression, showered the shire with… well, with 1,000,000 litres of raw sewage, by operating all the right pumps in all the wrong ways.

As amusing as this crime sounds with 20 years of hindsight – it happened in the year 2000 – the disgruntled former contractor caused an environmental hazard, including polluting a tidal canal, that took days to clean up.

He was caught, tried and convicted of 27 counts of unauthorised computer access, and one count of wilfully and unlawfully causing serious environmental harm:

“Marine life died, the creek water turned black and the stench was unbearable for residents,” said Janelle Bryant, investigations manager for the Australian Environmental Protection Agency.

Then there was the US sysadmin who was fired in 2009 and decided to get his own back by planting keyloggers on his former employee’s network, harvesting passwords until he had access to the accounts of senior staff, and then remotely hacking into a presentation by the CEO to the board of directors.

You can probably imagine what happened nort.

Zoom bombing may be a new phrase in our vocabulary, but the technique of, ahem, replacing someone’s presentation in real time with NSFW material – porn, in a word – is not a new thing at all.

The offender in this case received a two-year sentence, but avoided prison because the judge suspended it.

And 2019, a former sysadmin for a US Senator went on trial for stealing and revealing – what’s known in the trade as “doxxing” – the confidential personal data of several US members of Congress.

Ironically, the offender in this case had his logon accounts closed down when he was fired, but was still able to get physical access to his ex-workplace to install keyloggers and copy off gigabytes of confidential files.

Simply put, there’s a lot that can go wrong if your cybersecurity processes don’t deal reliably and rapidly with shutting down the access of staff who no longer work for you.

Ghost in the machine

Sadly, however, it’s not always grudge-filled ex-staff or rogue insiders whose accounts end up getting abused.

The Sophos Rapid Response team has just written up a recent case study of a network attack that involved the account of a sysadmin who had died three months before.

The account of the late employee wasn’t shut down because various internal services had been configured to use it, presumably because the deceased had been involved in setting up those services in the first place.

Closing down the account, we assume, would have stopped those services working, so keeping the account going was probably the most convenient way of letting the dead person’s work live on.

Indeed, we think it’s a rather nice memorial; a way of honouring the work of the departed sysadmin as well as ensuring business continuity in a part of the system that was already working properly.

Unfortunately, given that the dead person was not logging into and actively using the account any more, no one was there to notice that the account wasn’t being used in the expected way.

Cybercrooks love orphaned or abandoned accounts, because they’re less likely to get caught out by the account’s regular user – in much the same way that Goldilocks would probably have avoided the attention of the Three Bears if she hadn’t visibly had a go at everyone’s porridge, sat on everyone’s chairs, and slept in all their beds.

In this case, the active use of the account of a recently deceased colleague ought to have raised suspicions immediately – except that the account was deliberately and knowingly kept going, making its abuse look perfectly normal and therefore unexceptionable, rather than making it seem weirdly paranormal and therefore raising an alarm.

It ended in ransomware

Unfortunately, the attackers weren’t spotted until significant damage had been done, namely after they had unleashed the Netfilim ransomware (also known as Nemty) on the victim’s network and brought more than 100 computers to a standstill by scrambling all their data.

Even worse, when Sophos Rapid Response began investigating, having been called in almost immediately after the ransomware attack, they realised that the crooks had already had access to the network for a full month.

As you probably know, many ransomware attackers these days use the final scramble-all-the-files stage not as their primary vehicle to blackmail the unfortunate victim, but merely as a sort of attention-grabbing finale.

After all, you can recover from file-scrambling ransomware without paying if you have a recent and reliable backup…

…but what you can’t do after it’s happened is “unsteal” files that the criminals have quietly copied off your network in the days leading up to the final drama of the encryption attack.

Two-pronged blackmail

Sadly, many of today’s ransomware extortion demands have two prongs of blackmail: pay up or we will delete the decryption key to get your precious files back, and pay up or we will not delete the files we’ve already stolen.

If you don’t pay, the crooks threaten to send your confidential data – and data about your customers, which the crooks have probably got hold of as well – to the regulators, to the media, to other crooks, and even, in many cases, to publish them on their own darkweb “name-and-shame” sites where anyone can download them for any nefarious purpose they like.

Sophos Rapid Response discovered that the data exfiltration in this attack was already finished by Day 24 of the crooks’ 31-day infiltration – the attackers had apparently used the well-known (some might even say infamous) encrypted New Zealand-based cloud service MEGA to stash the stolen data.

For two weeks before that, the crooks had been snooping around quite generally, quietly setting up additional accounts – this time, not of dead staff but of people that didn’t exist at all.

Incidentally, one of the reasons the crooks take their time before adding their own accounts, directories, registry entries, programs and services is that they like to get a feel for your network and your nomenclature first, so their unauthorised additions don’t stand out as unusual.

The crooks also like to discover what system administration and hacking tools you already have on your network, so that they can “borrow” ones that exist already, thus raising less suspicion than if they downloaded their own favourites – a technique known in the jargon as “living off the land”, or simply “fitting in well” to you and me.

What to do?

  • For a summary of the steps you can take to stop your own user accounts being abused, please see the Sophos Rapid Response report.
  • For a list of the Indicators of Compromise (IoCs) for this particular attack, including the Netfilim ransomware and the MEGA file uploading tools, please see the SophosLabs GitHub account.
  • For advice on dealing with cybercriminals in the 2020s, please listen to this well-informed podcast with John Shier, Sophos Senior Security Advisor:


Click-and-drag above to skip to any point in the podcast. You can also listen directly on Soundcloud.


Great advice Duck. I would also ensure that e-mail groups are blocked from outside abuse. For example, stop the “All Staff” distribution list being open to anyone from outside the company to send to.


any idea they got the password of the dead guys account? sysadmin I would hope would not be susceptible to credential stuffing?


I don’t know… IIRC the crooks used an unpatched vulnerability in the initial part of their breakin so they may have been able to change the password to something they knew. If you do that with a user account that’s regularly used for interactive logon you will probably get caught out (when the real user realised they are locked out at next logon). If the account is effectively abandoned, that alarm bell will never ring. Whether they could see that the account was last used for login some months ago or just got lucky, I can’t say.


About 20 years ago, just before Christmas, I left my job as a permanent employee of a large IT company, to return as a contractor (on another project, on another site) for the same firm the following January. To my surprise, my old login still worked, and I was advised to keep using it. A fortnight later, in mid-January, the IT account, and my access card, stopped working, and I had to make a few calls to get things up and running again.

Sometimes companies can be a little slow to react, with unforeseen consequences.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!