It was a typical Monday, working in the office when I got a call from a contract customer. She said that one of their high level employees was going to be termintated that afternoon and wanted me to come into the office the next day to change the passwords and lock the computers. She said he wasn’t in the office so it wasn’t a rush. I knew this employee had a company laptop so using the Live Connect function of Kaseya2 I clicked on the laptop to see what he was doing. At first he was trying to access his 401K, then he started researching how to transfer his 401K, so at that point I had a good idea that he knew he was going to be fired. The next thing he did was open his email and then open the company customer database.
I knew this wasn’t going to be good. There were over 75,000 customers in that database and he was trying to email them to his hotmail account. Since i was a bit late to the game, I watched and waited until the email came in to the hotmail account and then went to work. I already had the VNC window open, so when I saw a lull in activity I deleted the email, emptied the recycle bin and logged out of the hotmail account.
Next I used one of the great features of K2 Live Connect – Remote Command Shell. It gives a remote command shell without the user being aware of anything. I changed all the passwords on the laptop and used the remote shutdown script in the Agent Procedures.
Of course he tried to log back in, but since I changed thepasswords, his efforts were foiled! (it seems like an appropriate word)
As of now we still do not have the laptop back, but the email has been deleted and as an added measure, I scheduled an automatic reboot every 7 minutes when the machine is on.