In a stark reminder of the dangers posed by insider threats, a former infrastructure engineer from an unnamed New Jersey company faces up to 35 years in prison for a failed extortion attempt. The incident, which occurred in November 2023, involved blocking administrator access to 254 servers and attempting to extort a ransom from his former employer.
The Anatomy of the Attack
On November 25, 2023, employees of the affected company received an alarming email titled “Your Network Has Been Penetrated.” The message claimed that all IT administrators had lost access to their accounts and that server backups had been destroyed, making data recovery impossible. The attacker threatened to disable 40 random servers daily for the next 10 days unless a ransom of 20 bitcoins (approximately $750,000 at the time) was paid.
Unauthorized Access and Malicious Actions
FBI-coordinated investigations revealed that Daniel Rhyne, a 57-year-old former infrastructure engineer, had gained unauthorized remote access to the company’s systems from November 9 to 25. Rhyne exploited an administrator account to execute a series of malicious actions:
- Scheduled password changes for the Administrator account, 13 domain admin accounts, and 301 domain user accounts to “TheFr0zenCrew!”
- Planned password alterations for local admin accounts affecting 254 servers and 3,284 workstations
- Set up tasks to randomly disable servers and workstations throughout December 2023
Technical Details and Tools Used
The attacker employed a combination of native Windows tools and third-party utilities to execute the sabotage:
- Windows Net User: A command-line tool for user account management
- PsPasswd: Part of the Sysinternals Utilities suite, used for remote password changes
Forensic analysis uncovered that Rhyne had used a hidden virtual machine to research techniques for erasing accounts, clearing Windows logs, and modifying domain user passwords via command line. This preparation occurred on November 15 and 22, demonstrating premeditation in the attack.
Impact and Discovery
The attack’s impact was swift and severe. On November 25, network administrators began receiving notifications of password resets for the domain admin account and hundreds of user accounts. They soon discovered that all other domain admin accounts had been deleted, effectively locking them out of the company’s computer networks.
Legal Consequences and Lessons Learned
Rhyne was arrested on August 27 and released after appearing in court in Kansas City. He faces charges of extortion, intentional damage to computers, and fraud. The potential penalties include up to 35 years in prison and a $750,000 fine.
This incident underscores the critical importance of robust insider threat prevention programs, strict access controls, and comprehensive monitoring systems. Organizations must implement strong password policies, regularly audit user privileges, and maintain detailed logs of all system activities. Additionally, implementing a zero-trust security model and conducting regular security awareness training can significantly mitigate the risks posed by insider threats.
