IT worker charged over $750,000 cyber extortion plot against former employer

A former IT engineer is facing federal charges in the United States after his former employer found it had been locked out of its computer systems and received a demand for $750,000.

At approximately 4pm EST on November 25, 2023, staff at an industrial company headquartered in Somerset County, New Jersey, began to receive password reset notifications.  Shortly afterwards, network administrators discovered that domain administrator accounts had been deleted, denying access to the firm's computer systems.

44 minutes later, employees received an extortion email from an external address with the subject line "Your Network Has Been Penetrated".

The email warned the company that all of its administrators had either been locked out or deleted from the network, that the company's backups had been deleted, and that a further 40 servers would be shut down each day if a ransom of 20 Bitcoin (approximately US $750,000) was not paid.

57-year-old Daniel Rhyne, from Kansas City, Missouri, who worked as a core infrastructure engineer at the company has been accused of unauthorised access to the computer systems, exploiting a company administrator account to run malicious commands between November 8-25, 2023 that:

• changed administrator passwords to "TheFr0zenCrew!"
• deleted administrator accounts
• altered user account passwords to "TheFr0zenCrew!"
• scheduled the shutdown of numerous servers and workstations.

Investigators claim that they managed to pinpoint the attack to a remote desktop session that had originated on an unauthorised virtual machine (VM) running on the company's network. The same VM was also found to have done a number of incriminating web searches in the run-up to the attack, including:

• "How to set domain user password from command line"
• "how to delete a domain <sic> account from the command line"
• "how to remotely shutdown a computer using cmd"
• "how to clear all Windows logs from command line"
• "net user syntax change password"

According to court documents, the VM was accessed by a user account and laptop assigned to Rhyne. Rhyne's laptop was said to cease all internet browsing when internet browsing was occurring on the VM, suggesting that the same person was using both the VM and Rhyne's laptop.

Prosecutors also claim that the company's CCTV and physical access logs record when Rhyne physically entered their headquarters. Those records immediately precede Rhyne's user account logging into his laptop and, in many instances, then accessing the VM.

The charges against Rhyne include extortion, intentional damage to protected computers, and wire fraud. If found guilty, he faces a potential maximum prison sentence of 20 years and fines of up to $750,000.