Feds claim sinister sysadmin locked up thousands of Windows workstations, demanded ransom
- Reference: 1724956207
- News link: https://www.theregister.co.uk/2024/08/29/vm_engineer_extortion_allegations/
- Source link:
Daniel Rhyne, 57, of Kansas City, Missouri, now faces up to 35 years behind bars for the alleged failed ransom attempt after being charged with one count of extortion in relation to a threat to cause damage to a protected computer, one count of intentional damage to a protected computer, and one count of wire fraud.
According to court documents
[1]PDF
, Rhyne hatched the scheme in November 2023 while working for an unnamed industrial company, headquartered in Somerset County, New Jersey.[2]
His extortion scheme commenced at around 1600 EST on November 25, 2023, it's claimed, when network admins received password reset notifications for a domain administrator account and hundreds of user accounts. About 44 minutes later, the company's employees received an email with the subject line: "Your Network Has Been Penetrated."
[3]
[4]
The email warned workers that all IT admins were locked out, or had their accounts deleted, and all backups had been erased. Then came the threat to shut down 40 servers a day until a ransom was paid.
Rhyne allegedly scheduled tasks to delete 13 domain administrator accounts and change the passwords belonging to 301 domain user accounts and two local admin accounts. This would lock these users out of 254 Windows servers.
[5]
The suspected sinister sysadmin also changed passwords for two other local admin accounts that would affect 3,284 workstations, and shut down "several" servers and workstations over several days beginning in December 2023, prosecutors claimed.
Rhyne is said to have used Windows' net user and Sysinternals Utilities' PsPasswd tool to modify these accounts and change the passwords to "TheFr0zenCrew!"
Very creative. But perhaps he should have let it go, if the Feds are right, because they claim they traced a hidden virtual machine used to remotely access an admin account back to Rhyne's company-issued laptop. He also used the same password, "TheFr0zenCrew!" for this compromised account.
[6]Brain Cipher claims attack on Olympic venue, promises 300 GB data leak
[7]Iran's Pioneer Kitten hits US networks via buggy Check Point, Palo Alto gear
[8]Dick's Sporting Goods discloses cyberattack
[9]Volt Typhoon suspected of exploiting Versa SD-WAN bug since June
The court documents also detail Rhyne's alleged web search history, which prosecutors said included lookups for phrases including, "command line to change password," "command line to change local administrator password," and "command line to remotely change local administrator password."
(Note to self: Don't Google "how to dispose of a body without getting caught.")
[10]
Additionally, the firm's security cameras and access logs allegedly recorded Rhyne entering the building immediately before logging into his company laptop, conducting suspicious searches, and looking at company password spreadsheets, while also accessing the hidden VM.
Rhyne made his initial court appearance in Kansas City federal court on August 27.
The charge of extortion in relation to a threat to cause damage to a protected computer carries a maximum penalty of five years in prison and a $250,000 fine. The charge of intentional damage to a protected computer carries a max penalty of 10 years and a $250,000 fine. And the wire fraud offense carries a max sentence of 20 years behind bars and a $250,000 fine. ®
Get our [11]Tech Resources
[1] https://regmedia.co.uk/2024/08/29/daniel_rhyne_complaint.pdf
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZtDviIu5R_Rfu7wSPkW9eAAAABM&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZtDviIu5R_Rfu7wSPkW9eAAAABM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZtDviIu5R_Rfu7wSPkW9eAAAABM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZtDviIu5R_Rfu7wSPkW9eAAAABM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2024/08/29/brain_cipher_olympic_attack/
[7] https://www.theregister.com/2024/08/28/iran_pioneer_kitten/
[8] https://www.theregister.com/2024/08/28/dickssporting_goods_runs_into_problems/
[9] https://www.theregister.com/2024/08/27/chinas_volt_typhoon_versa/
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZtDviIu5R_Rfu7wSPkW9eAAAABM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[11] https://whitepapers.theregister.com/
"now faces up to 35 years behind bars"
I hope he gets the full charge, and I hope he doesn't get out for good behavior.
You are an Admin. You have the moral duty to ensure the proper functioning of your company's network and the duty to ensure that all employees can do their job.
If you betray that trust and stoop to actually demand ransom for the accomplishment of your duty, you deserve to be shot - so be happy with whatever sentence your jury will hand you.
Re: "now faces up to 35 years behind bars"
Ah, good old Napoleonic Code, don't bother "if you are found guilty".
Re: "now faces up to 35 years behind bars"
I thought that was "guilotiny"
Re: "now faces up to 35 years behind bars"
You think he deserves 35 years for that? What do you want to see for more serious crimes like armed robbery, child molesting or murder? How many prisons do you want to build, because what we have now (when the US already imprisons more people than about any country) would clearly not be enough if you are handing out the maximum sentence allowed for everyone.
Ultimately no one was in danger from what he did. If he was holding a hospital IT system hostage and it caused ER delays that may have lead to a death then you'd have an argument for such a harsh sentence. The only consequence here was a hit to the bottom line. Not saying he should get off with a slap on the wrist, but 35 years for what he did is absolutely batshit insane!
Desktop calculator number crunching
So that's what, 314 windows admins for windows 254 servers serving 3284 windows workstations? That's one windows server serving just shy of 13 windows workstations. One windows admin per just over 11 windows machines.
I also like that this windows "infrastructure engineer" gets caught by googling how to automate (his nefarious scheme). Not just him but this whole windows outfit smells like mediocrity at scale.
Re: Desktop calculator number crunching
...and make me wonder if he's just the fall guy for a level 1 BOFH :-)
Re: Desktop calculator number crunching
Have an upvote, but I have to believe that some of the Admin accounts were probably service accounts, and I'm betting that some admin accounts didn't need to be admins, but as you say "mediocrity at scale." Googling your plot at work on work owned hardware, geesh what an amateur! Isn't that what Charbucks and a burner phone are for? OK, I've said enough...
Re: Desktop calculator number crunching
I think what caught me offguard was the 'Hidden VM' Like, how do you hide a VM? Sure a physical server you could hide, but a vm? It's gotta exist on a hypervisor, so it was on a list somewhere. IDK, maybe someone here could enlighten me.
Dodgy google searches
FTFA: ”(Note to self: Don't Google ‘how to dispose of a body without getting caught.’)”
Indeed. Instead, you should know to shoot a quick IM or e-mail to Simon Travaglia, the recognized expert on such things around here.
Re: Dodgy google searches
IM or e-mail to Simon Travaglia.
If you've been around The Reg long enough, you 'should' know ;-}. No need to bother Simon, https://www.theregister.com/offbeat/bofh/ I'm sure he's busy writing another episode!
I wonder what he was disgruntled about.
He could of farmed it out to some group in Saint Petersburg or Shanghai
and maybe taken up a life on the lam - or more likely a mysterious death.