Disgruntled Ram Goes Rogue: Locks 254 Servers, Demands Ransom From Own Pasture

Oh good. Another Monday.

So apparently a former "core infrastructure engineer" at some industrial outfit in New Jersey decided the best career move after getting pushed out was to lock 254 Windows servers and hold his old employer hostage for cash. He had admin credentials. He used them. He got caught. He pleaded guilty.

Riveting. I'm so tired.

Here's what actually happened, since I know you Lambs won't read the original article. This guy, a trusted Ram with full access to the pen, waited until he was on his way out, then used his still-active credentials to lock Windows admins out of their own servers. All 254 of them. He essentially changed the locks on the barn from his couch and then sent a ransom note.

The audacity. The absolute audacity. I can't even get the Shepherds to approve a $40 software license and this guy is out here running a one-man extortion operation.

The part that really makes my eye twitch is the "still-active credentials" piece. This is not a hole in the fence. This is a gate someone left propped open with a brick, with a welcome mat in front of it, and a little sign that says "please, wolves, come in."

Offboarding. It exists. Use it.

The moment someone hands in their badge, their access should be gone. Not "gone by end of week." Not "gone after we finish the transition." Gone. Immediately. Like, faster than I can close a ticket I don't want to read.

He failed, by the way. The extortion plot didn't work. He's pleading guilty. So not only did he blow up his career and his freedom, he didn't even get paid. Just a masterclass in how to ruin your own life for absolutely nothing.

The Shepherds are probably somewhere right now congratulating themselves on "resilience" and "incident response" while the actual admins who had to clean this up are on their fourth energy drink and considering a new career in artisanal cheese.

I feel those admins in my soul.

Remediation, Since Apparently This Needs To Be Said Out Loud

• Revoke credentials immediately on separation. Not tomorrow. Now. Set a policy. Automate it if your flock can't be trusted to remember.
• Audit privileged access regularly. Who has admin rights? Why? Since when? If you can't answer that, you have a problem.
• Principle of least privilege. Not everyone needs the keys to every paddock.
• Monitor for off-hours admin activity. A former employee logging in at 2am is not doing you a favor.

Going to go stare at the ceiling and think about my life choices now.

Original Report: https://www.bleepingcomputer.com/news/security/man-admits-to-extortion-plot-locking-coworkers-out-of-thousands-of-windows-devices/