02.04.2026
2 min
175
This article covers a real-world insider cyberattack where an employee locked thousands of Windows devices and attempted extortion. It explains how insider threats operate, their impact on organisations, and why access control, monitoring, and privilege management are critical for enterprise security.
According to court filings, 57 year old Danial Rhyne utilized his administrative level access to disrupt the company’s infrastructure. The disruption did not occur from simply logging into an account, however. Rather, he gained full control of key systems that prevented legitimate employee access.
The methodical nature of the attack, rather than a single event, caused further disruptions to the organization. In addition to gaining access to the systems (resetting passwords; removing administrator accounts) he implemented mechanisms allowing him to retain control as IT personnel tried to mitigate the damage.
One critical component of this attack was the utilization of a single password (“TheFr0zenCrew!”) across numerous accounts. The utilization of a single password allowed him to rapidly consolidate control and lockout legitimate users en masse.
Thousands of workstations and hundreds of servers were impacted by this attack, with many systems being taken offline over time. The staggered nature of this disruption added to the chaos and greatly complicated recovery efforts. As such, the company struggled to regain control of their infrastructure.
As if the previous actions weren’t enough, Rhyne sent an e-mail to employees stating:
“Your Network Has Been Penetrated”.
Within this e-mail, Rhyne stated that all IT Administrators were locked out and that all backup data has been erased. Additionally, he demanded a ransom of 20 Bitcoins, warning that he would be continuing to take additional server downtime on a daily basis until the ransom demand was met.
Below is a technical summary of how this occurred:
centralized denial of service through Domain Infrastructure
mass deletion/ reset of user credentials and removal of Administrator accounts
total control over both servers and workstations
continued pressure through staged denial-of-service attacks
It should be noted that this was not merely an attack, but rather a classic example of Insider Sabotage combined with Extortion Tactic(s).
This is one of the most under-estimated risks associated with Cyber Security — Insider Threats. Insiders are able to gain access to your systems, are familiar with your systems’ architecture, and know exactly where they need to strike to achieve the greatest amount of disruption possible.
Therefore, modern cyber-security strategies must extend beyond protecting your network’s perimeter. Proper access controls, constant monitoring, and adequate privilege separation will prevent a single individual from compromising your entire organization.
