Ransomware threat actors don’t always have to come from outside the victim organization – take Daniel Rhyne, a 57-year-old man from Kansas City, Missouri, who is being charged with locking down, and trying to extort, his own employer.
Allegedly, late last year, Rhyne was working at an industrial company in Somerset County, New Jersey. One day in November, he reset passwords to all network administrator accounts, as well as hundreds of user accounts. He deleted all backups, and locked users out of hundreds of servers, and thousands of workstations. Roughly an hour later, he mailed everyone to notify them of the attack, and to demand a ransom in exchange for re-establishing access.
These claims are being made by the FBI, who investigated the attack, and later charged the man with one count of extortion in relation to a threat to cause damage to a protected computer, one count of intentional damage to a protected computer, and one count of wire fraud.
TheFr0zenCrew!
Cumulatively, should he be convicted on all charges, Rhyne could be facing up to 35 years in jail, and a fine of $500,000, The Register reports.
The FBI shared a few details to back its claims. For example, Rhyne used Windows’ net user and Sysinternals Utilities’ PsPasswd tool to change people’s passwords to “TheFr0zenCrew!”. Furthermore, he kept a hidden virtual machine on his company-issued laptop, which he used to remotely access an admin account. This account had the same password – TheFr0zenCrew!.
Also, he used his company-issued laptop to search for a few damning things, such as “command line to change password,” “command line to change local administrator password,” and “command line to remotely change local administrator password.”
Finally, he was seen coming to work, logging into his laptop, doing the searches, and then looking at company password spreadsheets, while at the same time accessing the hidden VM.
Via The Register