Former Employee Arrested for Attempted Data Extortion Targeting Industrial Company
Rhyne, aged 57 and a resident of Kansas City, Missouri, is accused of attempting to extort his former employer by threatening to damage its computer network unless a ransom of 20 Bitcoin (approximately $750,000 at the time) was paid.
Introduction
On August 28, 2024, the U.S. Attorney's Office for the District of New Jersey announced the arrest of Daniel Rhyne, a former employee of a U.S.-based industrial company headquartered in Somerset County, New Jersey. Rhyne, aged 57 and a resident of Kansas City, Missouri, is accused of attempting to extort his former employer by threatening to damage its computer network unless a ransom of 20 Bitcoin (approximately $750,000 at the time) was paid.
The charges against Rhyne include:
- Extortion is related to a threat that causes damage to a protected computer.
- Intentional damage to a protected computer.
- Wire fraud.
Report Overview
Rhyne was a core infrastructure engineer at the company, responsible for managing virtual machines and maintaining the company's network infrastructure. On November 25, 2023, the company's employees received an extortionate email claiming that all IT administrators had been locked out or deleted from the company's computer network, backups had been erased, and additional servers would be shut down daily over a 10-day period unless the ransom was paid. The email, traced back to Rhyne, marked the culmination of unauthorized activities on the company's network.
The investigation revealed that Rhyne had gained unauthorized access to the company's computer systems by remotely accessing an administrator account. Using a hidden virtual machine, Rhyne scheduled several malicious tasks on the company's domain controller, including changing administrator passwords and shutting down servers. Forensic analysis uncovered that Rhyne had used tools like Sysinternals PsPasswd to change passwords and had even searched for command-line methods to delete domain accounts and remotely shut down computers. The password "TheFr0zenCrew!" was used both in the extortion email and for the unauthorized actions, linking Rhyne to the crime.
Had the attack succeeded, it would have severely disrupted the company's operations, potentially causing significant financial losses and damaging its reputation. The company, which serves various critical industries such as healthcare, manufacturing, and biopharmaceuticals, could have faced widespread operational failures. The FBI, under the direction of Special Agent in Charge James E. Dennehy in Newark, led the investigation that ultimately prevented the extortion from causing further harm. This incident serves as a stark reminder of the potential damage that cyber threats, even from within, can inflict.
Insights and Analysis
The U.S. Attorney's Office credited the swift action of the FBI in both New Jersey and Kansas City for Rhyne's arrest. U.S. Attorney Philip R. Sellinger highlighted the importance of vigilance and robust cybersecurity measures in protecting against internal threats. The case emphasizes the need for companies to closely monitor access to their networks, particularly when employees with significant system privileges depart under strained circumstances.
Organizations are encouraged to implement comprehensive access control measures and conduct regular audits of network activities to identify and mitigate unauthorized access. However, the case of Daniel Rhyne underscores the need for companies to enforce strict offboarding procedures. This is crucial to ensure that former employees, especially those with significant system privileges, do not retain access to critical systems, thereby preventing potential insider threats.
The arrest of Daniel Rhyne serves as a stark reminder of the potential risks posed by insider threats. As companies increasingly rely on digital infrastructure, ensuring the security of these systems against both external and internal attacks is paramount. The successful investigation and arrest by the FBI demonstrate the importance of collaboration between law enforcement and private sector companies in combating cybercrime. This collective effort should reassure the public and organizations that combating cyber threats is a shared responsibility.
Indicators of Compromise (IOCs)
| Indicator | Type | Description |
|---|---|---|
| "TheFr0zenCrew!" | Password | Used for unauthorized access to domain administrator accounts and virtual machine. |
| Extortion Email Address | Email Address | Used to send extortion email to company employees on November 25, 2023. |
| Hidden Virtual Machine | Virtual Machine | Unauthorized virtual machine used to perform malicious activities on the company's network. |
MITRE ATT&CK Table
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Persistence | Account Manipulation | T1098 | Changing domain user and administrator passwords to maintain access. |
| Impact | Data Destruction | T1485 | Deleting backups and scheduled tasks to disrupt business operations. |
| Impact | Account Access Removal | T1531 | Deleting domain administrator accounts to lock out legitimate users. |
| Command and Control | Remote Access Tools | T1219 | Using remote desktop sessions to access and control the company network. |
Comments ()