When the Good Guys Go Bad

This is, unfortunately, not the first time I have seen stories like this.

And, to make matters worse, it is a really hard crime to stop.

The feds are not releasing the name of the company, but it will eventually come out. A Somerset County, NJ “industrial company” was locked out of 254 servers after a former core infrastructure engineer tried to extort the company.

The former employee sent a message that said that he was going to shut down 40 random servers on the company’s network each day for the next 10 days if they didn’t pay him a ransom of 20 Bitcoin or around $750,000.

He remotely accessed the servers between November 9 and November 25 and scheduled tasks to change the administrator passwords for 13 domain admin accounts and also 301 domain user accounts.

He also scheduled tasks to change two passwords for local admin accounts impacting 254 servers and two more local admin accounts impacting 3,284 workstations.

Finally, he scheduled tasks to shut down random servers and workstations over multiple days in December 2023.

They found him during forensics because even though he tried to hide his Google searches using a hidden virtual machine, he didn’t hide well enough.

On November 25th, admins started receiving password reset notifications for domain admin and user accounts. All other domain admin accounts had been deleted.

He could receive 35 years in prison and a $750,000 if convicted.

As I said, this one is hard to stop, but it may be possible. If you have questions, please contact us. Credit: Bleeping Computer

by