A former core infrastructure engineer has admitted to a serious breach of trust, having locked Windows administrators out of 254 servers in an ill-fated extortion attempt against his employer, an industrial firm based in Somerset County, New Jersey. The individual, 57-year-old Daniel Rhyne from Kansas City, Missouri, accessed the company’s network without authorization, utilizing an administrator account from November 9 to November 25.
Details of the Incident
During this period, Rhyne allegedly orchestrated a series of malicious tasks on the company’s Windows domain controller. His actions included deleting network admin accounts and altering passwords for 13 domain admin accounts and 301 domain user accounts, all set to the same ominous phrase: “TheFr0zenCrew!”.
Prosecutors outlined further allegations, indicating that Rhyne scheduled tasks to modify passwords for two local admin accounts, impacting a staggering 3,284 workstations, as well as two additional local admin accounts that would affect the 254 servers within the company’s network. In a bid to escalate the chaos, he also planned to shut down random servers and workstations over several days in December 2023.
On November 25, Rhyne escalated his threats by sending a ransom email to several coworkers, ominously titled “Your Network Has Been Penetrated.” In this correspondence, he claimed that all IT administrators had been locked out of their accounts and that server backups had been erased, rendering data recovery impossible. He demanded a ransom of 20 bitcoin, approximately valued at 0,000 at the time, threatening to shut down 40 random servers daily over the following ten days if his demands were not met.
The criminal complaint details a timeline of events, noting that on the same day as the ransom email, network administrators began receiving password reset notifications for various accounts. This alarming development quickly led to the discovery that all other domain administrator accounts had been deleted, effectively cutting off access to the company’s computer networks.
Investigation Findings
Forensic investigators uncovered that on November 22, Rhyne had employed a concealed virtual machine to search for information related to clearing Windows logs, changing domain user passwords, and deleting domain accounts, all while plotting his extortion scheme. Just a week prior, he had conducted similar searches on his laptop, including queries about command lines for remotely changing local administrator passwords.
Rhyne was apprehended in Missouri on August 27 and subsequently released following his initial court appearance. The charges he faces, related to hacking and extortion, carry a potential maximum sentence of 15 years in prison. This case follows a recent conviction of a North Carolina data analyst contractor who was found guilty of extorting his employer for .5 million, highlighting a troubling trend in cybercrime within corporate environments.
