The Sophos Rapid Response team published findings from its investigations into recent ransomware attacks that reveal a failure to keep close tabs on “ghost” account credentials of recently deceased employees can give cybercriminals a discreet foothold to launch an attack.

In one of the attacks analyzed, Nefilim ransomware (also known as Nemty) targeted an organization with a combination of data theft and encryption, impacting more than 100 systems. The Sophos Rapid Response team traced this attack back to an initial intrusion about four weeks earlier using a compromised admin account with high level access. This account belonged to an employee who had sadly passed away around three months prior, which allowed the cybercriminals to quietly steal the credentials, move through the network, and exfiltrate hundreds of GB of data, before unleashing the ransomware.

“Ransomware is the final payload in a longer attack. It is the attacker telling you they already have control of your network and have finished the bulk of the attack. It is the attacker declaring victory,” Peter Mackenzie, manager for Rapid Response, said. “Identifying you are under a ransomware attack is easy, identifying the attacker was on your network a week earlier is what counts.”

For the full blog, please visit