A former core infrastructure engineer, 57-year-old Daniel Rhyne, pleaded guilty to remotely accessing his employer’s network and locking Windows administrators out of 254 servers as part of an extortion attempt. He allegedly reset hundreds of account passwords to “TheFr0zenCrew!”, deleted domain admin accounts, threatened daily server shutdowns unless paid 20 bitcoin, and investigators found evidence of a hidden VM and web searches used to plan the attack. #DanielRhyne #WindowsDomainController
Keypoints
- Daniel Rhyne remotely accessed the company’s network using an administrator account between November 9 and November 25, 2023.
- He scheduled tasks to delete domain admin accounts and reset 13 domain admin and 301 domain user passwords to “TheFr0zenCrew!”.
- Password changes to local admin accounts affected 3,284 workstations and 254 servers, and some tasks shut down random systems in December.
- Rhyne emailed coworkers demanding 20 bitcoin and threatened to shut down 40 random servers daily if the ransom was not paid.
- Forensics found use of a hidden virtual machine and preparatory web searches; Rhyne was arrested in Missouri, pleaded guilty, and faces up to 15 years in prison.