Skip to content

Employee locks Windows admins out of 254 servers; arrested for extortion

  • by
  • 3 min read

Illustration: JMiks | Shutterstock

A former core infrastructure engineer at the New Jersey industrial company based in Somerset County has been arrested after attempting to extort nearly $750,000, or 20 Bitcoin, from the company. The engineer, 57-year-old Daniel Rhyne, locked out all IT admins at the company from their accounts and deleted server backups to make data recovery impossible.

Court documents from Rhyne’s trial state that company employees received a ransom email titled “Your Network Has Been Penetrated” on November 25. The email claimed that all IT admins had been locked out of their accounts and server backups had been deleted. The email also threatened to shut down 40 random servers on the company’s network daily over the next ten days unless a ransom of 20 Bitcoin, about $750,000, was paid.

An FBI-led investigation revealed that Rhyne had remotely accessed the company’s systems without authorisation using an administrator account between November 9 and November 25. After gaining access, he scheduled tasks on the company domain to change passwords for the main administrator account, 13 domain administrator accounts and 301 domain user accounts.

He had also scheduled tasks to change passwords for two local administrator accounts, which would have impacted 254 servers, and another two accounts, which would have affected 3,284 servers on the company’s network. Rhyne had also scheduled tasks to shut down random servers and workstations on different days in December 2023, as he claimed in his extortion email.

Unfortunately for Rhyne, he had to look up how to do some of the advanced command line wizardry he was attempting to do on the internet, and these incriminating web searches led to this arrest. During forensic analysis, investigators found that he was using a hidden virtual machine accessible via his account and laptop to look up information on how to delete domain accounts, clear Windows logs, and change domain user passwords using command line tools on November 22.

On November 15, Rhyne made similar searches on his laptop, including “command line to change local administrator password” and “command line to remotely change local administrator password.” The server commands and scheduled tasks were all intended to deny the company access to its systems and servers as Rhyne had planned.

He was arrested in Missouri on August 27 and released after an initial appearance in the Kansas City federal court. He’s been charged with extortion, intentional computer damage, and wire fraud and could face a maximum jail time of 35 years and a $750,000 fine.

In the News: VMware ESXi flaw exploited by cybercriminals in latest attacks

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>