A former core infrastructure engineer from an industrial company based in Somerset County, New Jersey, was arrested for locking Windows administrators out of 254 servers in a failed extortion scheme against his employer.
Court documents reveal that on November 25, around 4:44 PM EST, company employees received a ransom email titled “Your Network Has Been Penetrated.” The email asserted that all IT administrators had been locked out of their accounts and that server backups had been deleted, rendering data recovery impossible.
The message further threatened to shut down 40 random servers on the company’s network daily over the next ten days unless a ransom of €700,000 (approximately $750,000 at the time) in Bitcoin (20 BTC) was paid.
An investigation led by FBI Special Agent James E. Dennehy in Newark identified 57-year-old Daniel Rhyne from Kansas City, Missouri, as the perpetrator. Rhyne, who worked as a core infrastructure engineer for the New Jersey-based company, had unauthorizedly accessed the company’s computer systems using a company administrator account between November 9 and November 25.
Rhyne then scheduled tasks on the company’s domain controller to change the passwords for the Administrator account, 13 domain administrator accounts, and 301 domain user accounts to “TheFr0zenCrew!”
The criminal complaint further alleges that Rhyne also scheduled tasks to change the passwords for two local administrator accounts, affecting 254 servers, and for two additional local admin accounts, impacting 3,284 workstations on the company’s network. Additionally, he scheduled tasks to shut down random servers and workstations over several days in December 2023.
Exposed by incriminating web searches
Investigators uncovered that while planning his extortion plot, Rhyne allegedly used a hidden virtual machine accessed through his account and laptop to conduct web searches on November 22. He sought information on deleting domain accounts, clearing Windows logs, and changing domain user passwords via the command line.
Further analysis revealed that on November 15, Rhyne made similar searches on his laptop, including queries like “command line to change local administrator password” and “command line to remotely change local administrator password.”
The criminal complaint states, “By changing administrator and user passwords and shutting down Victim-1’s servers, the scheduled tasks were collectively designed and intended to deny Victim-1 access to its systems and data.”
On November 25, 2023, at approximately 4:00 p.m. EST, Victim-1’s network administrators began receiving password reset notifications for a domain administrator account and hundreds of user accounts. Shortly afterward, they discovered that all other domain administrator accounts had been deleted, effectively blocking domain admin access to the company’s computer networks.
Rhyne was arrested in Missouri on Tuesday, August 27, and was released following his initial appearance in Kansas City’s federal court. He faces charges of extortion, intentional computer damage, and wire fraud, which carry a maximum penalty of 35 years in prison and a $750,000 fine.
Source: BleepingComputer, Sergiu Gatlan
Read other news at our blog