He expected an AD password change to stop them and evoke a ransom? And he did all the crap from a VM on his own computer?
Sounds like he has the planning capabilities of a preteen. I wonder if someone else in his house or family got a hold of his credentials and pulled this off…