A former core infrastructure engineer has pleaded guilty to locking Windows admins out of 254 servers as part of a failed extortion plot targeting his employer, an industrial company headquartered in Somerset County, New Jersey.
According to court documents, 57-year-old Daniel Rhyne from Kansas City, Missouri, remotely accessed the company’s network without authorization using an administrator account between November 9 and November 25.
Throughout this time, he allegedly scheduled tasks on the company’s Windows domain controller to delete network admin accounts and to change the passwords for 13 domain admin accounts and 301 domain user accounts to “TheFr0zenCrew!”.
The prosecutors also accused Rhyne of scheduling tasks to change the passwords for two local admin accounts, which would affect 3,284 workstations, and for two more local admin accounts, which would impact 254 servers on his employer’s network. He also scheduled some tasks to shut down random servers and workstations on the network over multiple days in December 2023.
Subsequently, on November 25, Rhyne emailed a number of his coworkers a ransom email titled “Your Network Has Been Penetrated,” saying that all IT administrators had been locked out of their accounts and that server backups had been deleted to make data recovery impossible.
Additionally, the emails threatened to shut down 40 random servers daily over the next ten days unless the company paid a ransom of 20 bitcoin (worth roughly $750,000 at the time).
“On or about November 25, 2023, at approximately 4:00 p.m. EST, network administrators employed at Victim-1 began receiving password reset notifications for a Victim-1 domain administrator account, as well as hundreds of Victim-1 user accounts,” the criminal complaint reads.
“Shortly thereafter, the Victim-1 network administrators discovered that all other Victim-1 domain administrator accounts were deleted, thereby denying domain administrator access to Victim-1’s computer networks.”
Forensic investigators found that on November 22, Rhyne used a hidden virtual machine and his account to search the web for information on clearing Windows logs, changing domain user passwords, and deleting domain accounts as he planned his extortion plot.
One week earlier, Rhyne made similar web searches on his laptop, including “command line to remotely change local administrator password” and “command line to change local administrator password.”
Rhyne was arrested in Missouri on Tuesday, August 27, and released after his initial appearance in federal court. The hacking and extortion charges to which he pleaded guilty carry a maximum penalty of 15 years in prison.
Earlier this month, a North Carolina data analyst contractor was found guilty of extorting his employer, Brightly Software (a Software-as-a-Service company previously known as SchoolDude), for $2.5 million.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.
