Ransomware threat actors don't always have to come from outside the victim organization — take Daniel Rhyne, a 57-year-old man from Kansas City, Missouri, who is being accused of shutting down and trying to extort his own employer.
Late last year, Rhyne allegedly worked at an industrial company in Somerset County, New Jersey. One day in November, he reset the passwords for all network administrator accounts, as well as hundreds of user accounts. He deleted all backups and locked users out of hundreds of servers and thousands of workstations. About an hour later, he sent an email to everyone notifying them of the attack and demanding a ransom in exchange for restoring access.
These claims are being made by the FBI, which investigated the attack and later charged the man with one count of extortion in connection with a threat to cause damage to a protected computer, one count of intentional damage to a protected computer and one count of wire fraud.
The Frozen Crew!
In all, if convicted on all charges, Rhyne could face up to 35 years in prison and a $500,000 fine. The Registry information.
The FBI shared some details to back up its claims. For example, Rhyne used the Windows network user and the Sysinternals Utilities PsPasswd tool to change people's passwords to “TheFr0zenCrew!”. Additionally, he kept a hidden virtual machine on his company-issued laptop, which he used to remotely access an administrator account. This account had the same password: TheFr0zenCrew!.
He also used his company-provided laptop to search for some compromising stuff, including “command line to change password,” “command line to change local administrator password,” and “command line to remotely change local administrator password.”
He was eventually seen arriving at work, logging into his laptop, performing the searches, and then looking at the company's password spreadsheets, while simultaneously accessing the hidden virtual machine.
Through The Registry