Nefilim, or Nemty, is a relatively new ransomware variant targeting unpatched or poorly secured Citrix remote access technology. The criminal gang’s use of the credentials that belonged to a deceased system administrator caught the attention of the Sophos researchers. The researchers note that there are numerous reasons why the account could have been left open, including the possibility that the system admin had helped with the initial setup of the targeted firm’s services. In December 2020, the ransomware was tied to an attack that targeted appliance maker Whirlpool.”]
Source: https://www.cuinfosecurity.com/dead-system-admins-credentials-used-for-ransomware-attack-a-15873