All the passwords were stored in Active Directory description fields

The article describes a ransomware attack enabled by insecure practices: service account passwords were stored in Active Directory description fields, which an Initial Access Broker discovered after a phishing campaign and running the Sliver tool. Attackers used the harvested credentials to obtain full domain access, delete backups, and encrypt Hyper-V hosts, taking over 2,000 users offline for months — illustrating the severe consequences of storing credentials in accessible cleartext locations.