After a total wait even longer than his prison sentence and being convicted in March, former software developer Davis Lu has finally been sentenced for a malware kill switch scheme he deployed in 2019.
Lu will have to serve four years in prison followed by three years of supervised release. It's the end to a long saga that began with a frustration many are all too familiar with: a demotion. In 2018, the company Lu worked for as a senior software developer, Eaton Corporation, went through a corporate realignment.
As a result, Lu was demoted. He stayed at the company until September 9, 2019, when he was finally put on leave and asked to return his company laptop. Lu had apparently been planning for this. When he was demoted, he "began sabotaging his employer's systems," according to the Department of Justice.
Lu's havoc on his former employer included malicious code that sparked system crashes, blocked logins, deleted files, and ultimately ended with a "kill switch" that, according to the DoJ, locked out all users if Lu's credentials were ever disabled. Lu even named the kill switch "IsDLEnabledinAD," short for "Is Davis Lu enabled in Active Directory."
When Lu was put on leave, that kill switch automatically triggered. The kill switch and Lu's other malicious code resulted in "hundreds of thousands of dollars in losses" for his former employer. Now, it has also resulted in jail time for Lu, who was convicted in March. That conviction is not surprising since he straight up admitted to sabotaging his former employer all the way in October 2019.
However, Lu didn't plead guilty and even reportedly designed his malicious code to make it look like it was coming from co-workers who took over his duties. Lu also deleted encrypted data from his company laptop before handing it over. But that clearly wasn't enough to stop the FBI from tying the cyber sabotage back to Lu.
