A former core infrastructure engineer at an industrial firm headquartered in Somerset County, New Jersey, was arrested after locking Home windows admins out of 254 servers in a failed extortion plot concentrating on his employer.
In line with courtroom paperwork, firm workers obtained a ransom e mail titled “Your Network Has Been Penetrated” on November 25, round 4:44 PM EST. The e-mail claimed that each one IT directors had been locked out of their accounts and server backups had been deleted to make knowledge restoration inconceivable.
Moreover, the message threatened to close down 40 random servers on the corporate’s community every day over the subsequent ten days until a ransom of €700,000 (within the type of 20 Bitcoin) was paid—on the time, 20 BTC have been price $750,000.
The investigation coordinated by FBI Particular Agent James E. Dennehy in Newark uncovered that 57-year-old Daniel Rhyne from Kansas Metropolis, Missouri, who was working as a core infrastructure engineer for the New Jersey industrial firm, had remotely accessed the corporate’s laptop methods with out authorization utilizing an organization administrator account between November 9 and November 25.
He then scheduled duties on the corporate’s area managed to alter the passwords for the Administrator account, 13 area administrator accounts, and 301 area person accounts to the “TheFr0zenCrew!” textual content string.
The legal criticism alleges that Rhyne additionally scheduled duties to alter the passwords for 2 native administrator accounts, which might impression 254 servers, and for 2 extra native admin accounts, which might have an effect on 3,284 workstations on his employer’s community. He additionally scheduled some duties to close down random servers and workstations over a number of days in December 2023.
Uncovered by incriminating internet searches
The investigators additionally discovered throughout forensic evaluation that, whereas planning his extortion plot, Rhyne allegedly used a hidden digital machine he accessed utilizing his account and laptop computer to look the online on November 22 for data on the way to delete area accounts, clear Home windows logs, and alter area person passwords utilizing the command line.
On November 15, Rhyne additionally made related internet searches on his laptop computer, together with “command line to change local administrator password” and “command line to remotely change local administrator password.”
“By changing administrator and user passwords and shutting down Victim-l’s servers, the scheduled tasks were collectively designed and intended to deny Victim-1 access to its systems and data,” the legal criticism reads.
“On or about November 25, 2023, at approximately 4:00 p.m. EST, network administrators employed at Victim-1 began receiving password reset notifications for a Victim-1 domain administrator account, as well as hundreds of Victim-1 user accounts. Shortly thereafter, the Victim-1 network administrators discovered that all other Victim-1 domain administrator accounts were deleted, thereby denying domain administrator access to Victim-1’s computer networks.”
Rhyne was arrested in Missouri on Tuesday, August 27, and was launched after his preliminary look within the Kansas Metropolis federal courtroom. The extortion, intentional laptop injury, and wire fraud expenses carry a most penalty of 35 years in jail and a $750,000 tremendous.