Disgruntled Employee Cause Havoc on Former Employer’s Servers CYSE300

Posted by jpabl004 on

Julian Pablo

Old Dominion University

CYSE 300

Professor Joe Kovacic

Short Research Paper #1

9/7/2025

Disgruntled Employee Cause Havoc on Former Employer’s Servers

It was April 2019 when an unnamed Ohio company’s servers were crippled from a disgruntled employee. The employee’s name was fifty-five-year-old Davis Lu who was convicted four years of jail time on March 2025.

The incident stems from a common mistake many organizations do which is giving too much access rights to the wrong people.  If you give a person with malicious intent too much power, then they will try to find a way to use it. This malicious intent can be traced back to 2018; Davis had his responsibilities and role reduced due to corporate realignment. The issue that would later become apparent is he still had developer access to the systems.

After Davis’s demotion, he started to plot his revenge by sabotaging his employer’s systems and networks. Since he still had developer privileges, he was to create infinite loops in their systems java code which would continuously crash the companies’ servers. Davis also has access to the active directory where he was able to terminate his coworker credentials. All these exploitations were locked behind his final gambit which was a kill switch malware. The malware was named IsDLEnabledinAD, and the malware would execute if Davis account were to ever get deleted on Active Directory.

On September 9, 2019, Davis was finally fired, but this meant the malware also became active. The incident led to many server crashes and thousands of employees got locked out of the systems. Along with the already severe damage, Davis also deleted many encrypted volumes, Linux directories, and a couple projects as well.  The damages done that day easily costed the company thousands of dollars from one disgruntled employee.

There are few lessons that many could learn that may have prevented the incident altogether and future one alike. The main one in question is always using the concept of least privilege. Least Privilege is to always only give employees the necessary access rights to do their tasks and nothing more. In this case, Davis had developer rights as he was a software developer, however, the problem arises when he gets a demotion and less responsibilities but does not get any access rights taken away. This gave him free reign on the systems and active directory to enact his revenge. What should’ve happened was developer rights get taken away right when he’s demoted to prevent an incident like this one.

Another measure that could’ve been taken is to always assess the possibility of insider threats early on. Insider threats are very dangerous as they have very easy access to a company’s assets allowing them to quickly destroy them. In most cases, insider threats tend to be disgruntled employees as they have clear resentment and motive like Davis and his demotion. It’s a very general mitigation, but a vital one as a company’s enemy may be a lot closer than they expect them to be.

References

  • The Hacker News. (2025, August 23). Ex-developer jailed four years for sabotaging Ohio employer with Kill-Switch malware. https://thehackernews.com/2025/08/ex-developer-jailed-four-years-for.html
  • STAHIE, S. (2025, August 25). Fired developer sentenced to four years for using kill-switch malware as revenge. Hot for Security. https://www.bitdefender.com/en-us/blog/hotforsecurity/developer-sentenced-kill-switch-malware-revenge

Leave a Reply

Your email address will not be published. Required fields are marked *