A former infrastructure engineer who allegedly locked IT department colleagues out of their employer's systems, then threatened to shut down servers unless paid a ransom, has been arrested and charged after an FBI investigation.

Daniel Rhyne, 57, of Kansas City, Missouri, now faces up to 35 years behind bars for the alleged failed ransom attempt after being charged with one count of extortion in relation to a threat to cause damage to a protected computer, one count of intentional damage to a protected computer, and one count of wire fraud.

According to court documents [PDF], Rhyne hatched the scheme in November 2023 while working for an unnamed industrial company, headquartered in Somerset County, New Jersey.

His extortion scheme commenced at around 1600 EST on November 25, 2023, it's claimed, when network admins received password reset notifications for a domain administrator account and hundreds of user accounts. About 44 minutes later, the company's employees received an email with the subject line: "Your Network Has Been Penetrated."

The email warned workers that all IT admins were locked out, or had their accounts deleted, and all backups had been erased. Then came the threat to shut down 40 servers a day until a ransom was paid.

Rhyne allegedly scheduled tasks to delete 13 domain administrator accounts and change the passwords belonging to 301 domain user accounts and two local admin accounts. This would lock these users out of 254 Windows servers.

The suspected sinister sysadmin also changed passwords for two other local admin accounts that would affect 3,284 workstations, and shut down "several" servers and workstations over several days beginning in December 2023, prosecutors claimed.

Rhyne is said to have used Windows' net user and Sysinternals Utilities' PsPasswd tool to modify these accounts and change the passwords to "TheFr0zenCrew!"

Very creative. But perhaps he should have let it go, if the Feds are right, because they claim they traced a hidden virtual machine used to remotely access an admin account back to Rhyne's company-issued laptop. He also used the same password, "TheFr0zenCrew!" for this compromised account.

The court documents also detail Rhyne's alleged web search history, which prosecutors said included lookups for phrases including, "command line to change password," "command line to change local administrator password," and "command line to remotely change local administrator password."

(Note to self: Don't Google "how to dispose of a body without getting caught.")

Additionally, the firm's security cameras and access logs allegedly recorded Rhyne entering the building immediately before logging into his company laptop, conducting suspicious searches, and looking at company password spreadsheets, while also accessing the hidden VM.

Rhyne made his initial court appearance in Kansas City federal court on August 27.

The charge of extortion in relation to a threat to cause damage to a protected computer carries a maximum penalty of five years in prison and a $250,000 fine. The charge of intentional damage to a protected computer carries a max penalty of 10 years and a $250,000 fine. And the wire fraud offense carries a max sentence of 20 years behind bars and a $250,000 fine. ®

https://www.theregister.com//2024/08/29/vm_engineer_extortion_allegations/