The Ghosts Within Your Network Could Be an In for Ransomware – Barracuda’s Mark Lukie Breaks It Down
Call it an inconvenient truth: in cybersecurity, ransomware has long outstayed its welcome, and it isn’t going anywhere anytime soon. The simple fact that it can be incredibly profitable ensures a constant stream of innovation from those looking to exploit digital vulnerabilities.
What’s often surprising, however, isn’t the complexity of these new tactics, but in their simplicity. This is perhaps a testament to attackers’ knack for finding and exploiting even the most basic security weaknesses. The results can be devastatingly effective.
The devil, as they say, is in the details, and sometimes, those details are as unassuming as a forgotten user profile. Mark Lukie, Director of Solution Architects at Barracuda Networks, APAC, recently walked us through how the latest developments in ransomware threats are leveraging seemingly innocuous “ghost accounts” to gain unauthorised access.
When Inactive Accounts Become Security Hazards
In the interview, Mark highlighted a recent Barracuda SOC investigation that uncovered how the Akira ransomware group exploited an organisation’s dormant or forgotten user account to infiltrate its systems undetected.
Mark explained that at some point before deploying the main attack, the attackers managed to get hold of the credentials for the account and used it to gain access and then connect via an open VPN channel to reach the victim organisation’s network.
“Once inside, they escalated their privileges, tried to move laterally across the network, and remotely deployed ransomware to encrypt devices, disrupting business operations,” he said.
Ghost accounts typically occur organically when companies fail to manage user access systematically. Mark noted that what’s especially concerning is how easily these ghost accounts are overlooked, often left unmanaged or unmonitored. In the case of the Akira ransomware group attack, the compromised account had been created for a third-party vendor, and then not deactivated when the contractor left.
Red Flags That Signal a Breach in the Making
Simply by forgetting or failing to disable obsolete accounts, organisations can create potential vulnerabilities that may become an entry point for cybercriminals if not properly secured.
Mark shared that ghost accounts are usually created when employees leave, roles change, or temporary access is no longer needed. They can be overlooked when enforcing updated password policies or other security updates, because people don’t realise they exist. In the worst-case scenario, this could happen with accounts that have privileged access.
“One of the most telling indicators is unusual login activity, particularly from accounts that have been inactive for months or even years. If these dormant accounts suddenly show signs of access, it could suggest an attacker has compromised credentials and is testing entry points. Repeated failed login attempts on such inactive accounts may also point to brute-force efforts to gain unauthorised access,” Mark explained.
Another red flag is unauthorised privilege escalation, where a user account is granted higher access levels than appropriate. This can indicate that an attacker is attempting to gain deeper control over the environment. Additionally, the unexpected appearance of encrypted files or detection of ransomware payloads may signal that the network has already been compromised, and that the attacker is preparing to launch a full-scale ransomware attack.
The key takeaway is that organisations need to monitor account activity closely and flag any suspicious behaviour before an attack can escalate.
Exorcising the Ghosts of Forgotten Accounts
The last thing businesses should do is make it easier for attackers, but leaving ghost accounts unchecked does exactly that. As Mark noted, they’re “one of the easiest attack vectors for cybercriminals”.
Therefore, he said organisations have to make account hygiene a priority, and he went on to share a few tips that might help. To secure ghost accounts and prevent breaches, organisations should take a proactive approach to account management. “This begins with regularly auditing all user accounts and promptly disabling or removing any that are no longer in use,” Mark added.
Enforcing strong password policies and requiring multi-factor authentication significantly reduces the risk of unauthorised access. It’s equally important to follow the principle of least privilege, ensuring users have only the minimum access necessary to carry out their roles. Monitoring login activity for unusual behaviour, especially involving inactive accounts, provides an additional layer of protection.
To further enhance security, advanced detection tools can help identify threats early and stop attackers from moving laterally across the network. Mark reiterated his earlier message, stating, “By making account hygiene a priority, organisations can eliminate one of the most common entry points for cybercriminals and strengthen their overall security posture.”
The Fight Against Ransomware Starts Within
Ultimately, Mark Believes that ransomware attacks like the one he highlighted are a wake-up call, and organisations need to move beyond basic security measures and adopt a layered, proactive approach to stay protected.
“As ransomware tactics continue to evolve, businesses in 2025 must move beyond basic defences and adopt a layered, proactive security approach. Prioritising a zero-trust model, where all access is continuously verified, helps limit attacker movement within the network. AI-driven threat detection tools are key to identifying unusual activity early, while regular cybersecurity training ensures employees can spot phishing and social engineering attempts”, he elaborated further.
He added that robust backup strategies and tested incident response plans are essential for quick recovery after an attack. Continuous security assessments help uncover vulnerabilities before attackers do. Solutions like extended detection and response (XDR) network security can also play a vital role by detecting and blocking threats such as suspicious VPN activity before they escalate.
In a nutshell, in order to stay protected, organisations must combine smart technology, user awareness and agile response planning in a unified security strategy. And above all, they must ensure that their security doesn’t leave the door open for dormant accounts to rise from the dead and haunt them when they least expect it.
