A former IT engineer faces federal charges in the United States after his previous employer claimed that he had been locked out of their computer systems and demanded $750,000 to regain access.
Around 4 pm EST on November 25, 2023, employees at a major manufacturing company based in Somerset County, New Jersey, began receiving password reset alerts. Immediately following the incident, community directors discovered that area administrator accounts had been mysteriously deleted, resulting in denial of access to the agency’s computer systems.
Forty-four minutes after the fact, staff received a menacing email from an unknown sender, whose subject line read: “Your Community Has Been Compromised.”
The email issued a dire warning to the corporation, alerting it that each director’s account had been compromised, with both lockouts and deletions reported from the community platform. Moreover, the company’s backup systems had been intentionally erased, leaving sensitive data vulnerable. The ransom demands were stark: 20 Bitcoin (approximately US $750,000) was requested in exchange for sparing an additional 40 servers from being shut down daily.
A 57-year-old Daniel Rhyne from Kansas City, Missouri, a former core infrastructure engineer, exploited an organization administrator account between November 8 and 25, 2023, to gain unauthorized access to computer programs and execute malicious code.
- modified administrator passwords to “TheFr0zenCrew!”
- deleted administrator accounts
- Altered the person’s account passwords to “TheFr0zeNCr3w!”
- Conducted a comprehensive shutdown process for multiple servers and workstations.
Authorities have successfully traced the attack to a remote desktop session emanating from an unauthorized virtual machine (VM) operating within the company’s network. The identical virtual machine was also found to have conducted a series of suspicious and incriminating internet searches in the days leading up to the attack, including:
- Discover how to establish a secure area persona password from the command line.
- ” delete a site <sic> account from the command line”
- Can you shut down your PC from anywhere using Command Prompt?
- Clear all Windows logs from the command line?
- “web person syntax change password”
According to the court documents, access to the VM was gained via a user account and laptop computer designated for Rhyne’s exclusive use. The analysis revealed that Rhyne’s laptop abruptly ceased web browsing whenever virtual machine activity was detected, implying that the same individual controlled both the VM and Rhyne’s laptop during this period.
Prosecutors assert that the company’s CCTV and physical access records confirm Rhyne physically entered their headquarters at a specified time. The preceding data immediately precedes Rhyne’s login to his laptop computer, often triggering access to the virtual machine.
The charges against Rhyne encompass extortion, malicious damage to secured digital networks, and electronic fraudulence. If found guilty, the individual risks serving up to 20 years in prison and facing fines of as high as $750,000.
