Man admits to locking Windows devices in extortion plot

bleepingcomputer.com · Brajeshwar · 2 days ago · view on HN · news
quality 7/10 · good
0 net
Tags
malware microsoft node
Man admits to locking thousands of Windows devices in extortion plot Home News Security Man admits to locking thousands of Windows devices in extortion plot Man admits to locking thousands of Windows devices in extortion plot By Sergiu Gatlan April 3, 2026 05:04 AM 0 A former core infrastructure engineer has pleaded guilty to locking Windows admins out of 254 servers as part of a failed extortion plot targeting his employer, an industrial company headquartered in Somerset County, New Jersey. According to court documents , 57-year-old Daniel Rhyne from Kansas City, Missouri, remotely accessed the company's network without authorization using an administrator account between November 9 and November 25. Throughout this time, he allegedly scheduled tasks on the company's Windows domain controller to delete network admin accounts and to change the passwords for 13 domain admin accounts and 301 domain user accounts to "TheFr0zenCrew!". The prosecutors also accused Rhyne of scheduling tasks to change the passwords for two local admin accounts, which would affect 3,284 workstations, and for two more local admin accounts, which would impact 254 servers on his employer's network. He also scheduled some tasks to shut down random servers and workstations on the network over multiple days in December 2023. Subsequently, on November 25, Rhyne emailed a number of his coworkers a ransom email titled "Your Network Has Been Penetrated," saying that all IT administrators had been locked out of their accounts and that server backups had been deleted to make data recovery impossible. Additionally, the emails threatened to shut down 40 random servers daily over the next ten days unless the company paid a ransom of 20 bitcoin (worth roughly $750,000 at the time). "On or about November 25, 2023, at approximately 4:00 p.m. EST, network administrators employed at Victim-1 began receiving password reset notifications for a Victim-1 domain administrator account, as well as hundreds of Victim-1 user accounts," the criminal complaint reads. "Shortly thereafter, the Victim-1 network administrators discovered that all other Victim-1 domain administrator accounts were deleted, thereby denying domain administrator access to Victim-1's computer networks." Forensic investigators found that on November 22, Rhyne used a hidden virtual machine and his account to search the web for information on clearing Windows logs, changing domain user passwords, and deleting domain accounts as he planned his extortion plot. One week earlier, Rhyne made similar web searches on his laptop, including "command line to remotely change local administrator password" and "command line to change local administrator password." Rhyne was arrested in Missouri on Tuesday, August 27, and released after his initial appearance in federal court. The hacking and extortion charges to which he pleaded guilty carry a maximum penalty of 15 years in prison. Earlier this month, a North Carolina data analyst contractor was found guilty of extorting his employer , Brightly Software (a Software-as-a-Service company previously known as SchoolDude), for $2.5 million. Automated Pentesting Covers Only 1 of 6 Surfaces. Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other. This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation. Get Your Copy Now Related Articles: Employee arrested for locking Windows admins out of 254 servers in extortion plot Ex-data analyst stole company data in $2.5M extortion scheme Microsoft testing Windows 11 batch file security improvements Evolution of Ransomware: Multi-Extortion Ransomware Attacks Microsoft now force upgrades unmanaged Windows 11 24H2 PCs Admin Extortion Kansas City Missouri USA Windows Sergiu Gatlan Sergiu is a news reporter who has covered the latest cybersecurity and technology developments for over a decade. Email or Twitter DMs for tips. Previous Article Next Article Post a Comment Community Rules You need to login in order to post a comment Not a member yet? Register Now You may also like: Popular Stories Cisco source code stolen in Trivy-linked dev environment breach Hackers compromise Axios npm package to drop cross-platform malware Claude Code source code accidentally leaked in NPM package Sponsor Posts Turn stolen data into useless noise in ransomware attack Attackers aren’t breaking in. They’re logging in. See how these intrusions unfold A unified control plane for all identities, human, non-human, and agentic. New fraud playbooks are circulating on the dark web — are you keeping up? 5 Things to Measure in an AI-Driven SOC (That Didn't Exist Before) Upcoming Webinar Login Username Password Remember Me Sign in anonymously Sign in with Twitter Not a member yet? Register Now Reporter Help us understand the problem. What is going on with this comment? Spam Abusive or Harmful Inappropriate content Strong language Other Read our posting guidelinese to learn what content is prohibited. Submitting... SUBMIT
← Back to stories