A former infrastructure engineer has pleaded guilty to locking out Windows administrators on 254 servers as part of a failed fraud scheme targeting his employer, an industrial company headquartered in Somerset County, New Jersey.
According to court documents, 57-year-old Daniel Rhyne of Kansas City, Missouri, accessed the company’s remote network without authorization using an administrator account between November 9 and November 25.
All the while, he allegedly programmed operations on the company’s Windows domain controller to delete network administrator accounts and change the passwords of 13 domain administrator accounts and 301 domain user accounts to “TheFr0zenCrew!”.
Prosecutors also accused Rhyne of orchestrating password-change operations for two site manager accounts, which would affect 3,284 workstations, and two site manager accounts, which would affect 254 servers on his employer’s network. He also planned some activities to shut down random servers and workstations on the network for several days in December 2023.
Later, on November 25, Rhyne sent a ransom email to several co-workers titled “Your Network Has Been Hacked,” saying that all IT administrators had been locked out of their accounts and that server backups had been deleted to make data recovery impossible.
In addition, the emails threaten to shut down 40 random servers every day for the next ten days unless the company pays a ransom of 20 bitcoins (worth about $750,000 at the time).
“On November 25, 2023, at approximately 4:00 pm EST, the network administrators employed by Victim-1 began receiving password reset notifications for Victim-1’s domain administrator account, as well as hundreds of Victim-1’s user accounts,” the criminal complaint reads.
“Immediately thereafter, Victim-1’s network administrators discovered that all of Victim-1’s other domain administrator accounts had been deleted, thereby denying the domain administrator access to Victim-1’s computer network.”
Forensic investigators discovered that on November 22, Rhyne used a hidden virtual machine and his account to search the web for information on wiping Windows logs, changing domain user passwords, and deleting domain accounts as he planned his fraud plot.
One week earlier, Rhyne performed similar web searches on his laptop, including “command line to remotely change local administrator password” and “command line to change local administrator password.”
Rhyne was arrested in Missouri on Tuesday, August 27, and released after his first appearance in federal court. The robbery and burglary charges he pleaded guilty to carry a maximum sentence of 15 years in prison.
Earlier this month, a North Carolina data analytics contractor was found guilty of defrauding his employer, Brightly Software (the Software-as-a-Service company formerly known as SchoolDude), of $2.5 million.
Automatic logging proves that the path exists. BAS proves that your controls are stopping you. Many teams run without each other.
This white paper outlines six areas of validation, indicates where coverage ends, and provides clinicians with three diagnostic questions for any screening tool.
