The attack from within: the former employee who blocked the administrators, erased backups and demanded a bitcoin rescue

A former worker responsible for the central infrastructure of an industrial company based in Somerset County, New Jersey, admitted his guilt after a extortion plan that ended up blocking the access of Windows administrators to hundreds of company teams. According to the judicial documents published by the Office of the Prosecutor, the accused, identified as Daniel Rhyne, acted from his administrative account and programmed a series of tasks that massively altered credentials and accounts in the corporate network between early and late November 2023. Official information is available at the documents of the court and in the note by the New Jersey District Attorney's Office on his plea of guilt: DOJ communication.

The maneuver was not a simple password change: forensic records show that Rhyne programmed tasks on the domain controller to remove domain administrators' accounts and to force the re-establishment of credentials in hundreds of user accounts and administrators, replacing them with a key identified in the investigation. In addition, he handled local administrator accounts whose alteration affected thousands of workstations and 254 servers, and left random off orders for equipment in subsequent days. All this was followed by a mail sent by Rhyne himself to several colleagues on 25 November, in which he stated that the administrators had been blocked and that the backup had been deleted, demanding a bitcoin rescue in exchange for stopping the planned blackouts.

The research detected searches from hidden virtual devices and machines related to how to delete Windows records, change domain passwords from the command line and remove domain accounts. These fingerprints on systems and the timing of actions were decisive for researchers in rebuilding the internal attack. After his arrest in August, Rhyne pleaded guilty to federal charges, which, if they reach a full sentence, entail imprisonment of up to 15 years, according to the Prosecutor's Office.

This case highlights a lesson that is repeated in similar incidents: the greatest risk is not always a sophisticated external actor, but someone with privileges and knowledge of the network. When the infrastructure manager uses its access to cause intentional damage, traditional defences may be insufficient. Tools and practices such as segregation of functions, strict control of privileged accounts, automatic and unique rotation of local passwords, and provision of dedicated workstations for administrative tasks are measures that reduce the area of attack of insiders. Microsoft, for example, offers solutions to manage local passwords from administrators such as LAPS, and documentation on Active Directory security practices that can help companies to tighten their environments: Microsoft LAPS and Active Directory security guides in Microsoft documentation.

Prevention also involves support strategies that resist deliberate elimination, as well as continuous monitoring and detection of anomalies in administrative actions. The US Agency for Infrastructure and Cybersecurity. USA (CISA) publishes recommendations and road maps on how to deal with Ransomware and the risk of internal threats, which are useful for organizations of all sizes: CISA guide and resources on Ransomware. Implement multifactor for administrative access, separate daily use accounts from privileged accounts and apply the principle of lower privilege are basic but effective steps to limit potential damage.

Beyond technical controls, this episode serves as a reminder of the importance of clear policies on remote access and periodic privilege reviews. An employee with network knowledge and permanent access can turn that experience into a weapon if there are no adequate detection and containment barriers. Forensic investigations that revealed specific searches and the use of hidden virtual machines show that, on many occasions, the digital trail exists and can lead to criminal responsibilities when there is bad faith.

Cases such as this are not unique: in recent months other incidents have come to light where workers or subcontractors have tried to take advantage of privileged data or access. The accumulation of these events has prompted organizations to rethink the management of privileged identities and accesses, as well as to strengthen their incident response plans to ensure rapid recovery without giving in to extortion.

The reading of the official documents and the notes of the Office of the Prosecutor provides a direct view of how the attack took place and what evidence the author had pointed to: for those who wanted to deepen, the Department of Justice kept the communiqués and the annexes of the case on its website (see DOJ's link on the plea of guilt and judicial documents partners).

If there is a clear conclusion, it is that technological security requires not only perimeter barriers, but also rigorous internal controls, continuous monitoring and an organizational culture that detects and acts against risk signals. The combination of good technical practices and human surveillance is the best defense against attacks that, precisely to be born from within, seek to take advantage of the greatest asset that companies have: confidence in their own staff.