logo

Employee arrested for locking Windows admins out of 254 servers in extortion plot

Hacker

A former core infrastructure engineer at an industrial company headquartered in Somerset County, New Jersey, was arrested after locking Windows admins out of 254 servers in a failed extortion plot targeting his employer.

According to court documents, company employees received a ransom email titled "Your Network Has Been Penetrated" on November 25, around 4:44 PM EST. The email claimed that all IT administrators had been locked out of their accounts and server backups had been deleted to make data recovery impossible.

Additionally, the message threatened to shut down 40 random servers on the company's network daily over the next ten days unless a ransom of €700,000 (in the form of 20 Bitcoin) was paid—at the time, 20 BTC were worth $750,000.

The investigation coordinated by FBI Special Agent James E. Dennehy in Newark uncovered that 57-year-old Daniel Rhyne from Kansas City, Missouri, who was working as a core infrastructure engineer for the New Jersey industrial company, had remotely accessed the company's computer systems without authorization using a company administrator account between November 9 and November 25.

He then scheduled tasks on the company's domain controlled to change the passwords for the Administrator account, 13 domain administrator accounts, and 301 domain user accounts to the "TheFr0zenCrew!" text string.

The criminal complaint alleges that Rhyne also scheduled tasks to change the passwords for two local administrator accounts, which would impact 254 servers, and for two more local admin accounts, which would affect 3,284 workstations on his employer's network. He also scheduled some tasks to shut down random servers and workstations over multiple days in December 2023.

Exposed by incriminating web searches

The investigators also found during forensic analysis that, while planning his extortion plot, Rhyne allegedly used a hidden virtual machine he accessed using his account and laptop to search the web on November 22 for information on how to delete domain accounts, clear Windows logs, and change domain user passwords using the command line.

On November 15, Rhyne also made similar web searches on his laptop, including "command line to change local administrator password" and "command line to remotely change local administrator password."

"By changing administrator and user passwords and shutting down Victim-l's servers, the scheduled tasks were collectively designed and intended to deny Victim-1 access to its systems and data," the criminal complaint reads.

"On or about November 25, 2023, at approximately 4:00 p.m. EST, network administrators employed at Victim-1 began receiving password reset notifications for a Victim-1 domain administrator account, as well as hundreds of Victim-1 user accounts. Shortly thereafter, the Victim-1 network administrators discovered that all other Victim-1 domain administrator accounts were deleted, thereby denying domain administrator access to Victim-1’s computer networks."

Rhyne was arrested in Missouri on Tuesday, August 27, and was released after his initial appearance in the Kansas City federal court. The extortion, intentional computer damage, and wire fraud charges carry a maximum penalty of 35 years in prison and a $750,000 fine.


Free security scan for your website