In a significant move against cybercrime, the U.S. Department of Justice has charged Rami Khaled Ahmed, a 36-year-old Yemeni national, for orchestrating a ransomware campaign that targeted approximately 1,500 systems worldwide. The Black Kingdom ransomware, which exploited vulnerabilities in Microsoft Exchange servers, affected various sectors, including healthcare and education, demanding ransoms typically around $10,000 in Bitcoin.

Key Takeaways

• Rami Khaled Ahmed charged with deploying Black Kingdom ransomware.

• Approximately 1,500 systems targeted globally, including U.S. businesses and schools.

• Ransom demands typically set at $10,000 in Bitcoin.

• Ahmed remains at large, believed to be residing in Yemen.

Overview Of The Charges

The indictment against Ahmed includes three federal charges: conspiracy, intentional damage to a protected computer, and threatening such damage. Each charge carries a potential maximum sentence of five years in prison. The DOJ's announcement highlights the increasing focus on international cybercriminals and the need for robust cybersecurity measures.

The Black Kingdom Ransomware

Black Kingdom, also known as Pydomer, is characterized as a rudimentary yet effective ransomware variant. It was notably the first ransomware to exploit the ProxyLogon vulnerability in Microsoft Exchange servers, allowing attackers to gain unauthorized access to networks. The malware typically encrypts sensitive data or claims to steal it, followed by ransom demands.

Key Features of Black Kingdom:

• Exploitation of Vulnerabilities: Utilized Microsoft Exchange Server’s ProxyLogon flaw and later targeted Pulse Secure VPN vulnerabilities.

• Ransom Demands: Victims were instructed to pay $10,000 in Bitcoin, with proof of payment required via email.

• Amateurish Design: Despite its effectiveness, cybersecurity experts describe the malware as basic, often employing simple coding techniques.

Impact on Victims

The ransomware campaign has had a significant impact on various organizations, including:

• A medical billing company in Encino, California.

• A ski resort in Oregon.

• A school district in Pennsylvania.

• A health clinic in Wisconsin.

Victims faced not only financial losses but also potential data breaches, as the ransomware threatened to leak stolen information if ransoms were not paid.

Current Status and Global Response

Ahmed is believed to be residing in Yemen, and international efforts are underway to apprehend him. The FBI, in collaboration with New Zealand Police, is leading the investigation. This case is part of a broader crackdown on cybercrime, with various arrests and indictments occurring globally.

Trends in Ransomware Attacks

The indictment of Ahmed comes at a time when ransomware attacks are on the rise, yet the willingness of organizations to pay ransoms is declining. Recent reports indicate:

• Increase in Ransomware Incidents: 2,289 ransomware incidents reported in Q1 2025, a 126% increase from the previous year.

• Declining Ransom Payments: 64% of victim organizations refused to pay ransoms, a significant increase from previous years.

• Shift in Attack Strategies: Cybercriminals are increasingly adopting decentralized approaches, moving away from traditional ransomware-as-a-service models.

As law enforcement agencies ramp up their efforts to combat cybercrime, organizations are urged to enhance their cybersecurity measures, including regular system updates, employee training, and robust backup solutions to mitigate the risks associated with ransomware attacks.

As cyber threats grow more sophisticated, staying informed is more important than ever. BetterWorld Technology delivers advanced cybersecurity solutions designed to adapt with the threat landscape—ensuring your business stays protected while continuing to innovate. Take the first step toward stronger security—contact us today for a consultation!

Sources

• U.S. DOJ Charges Black Kingdom Ransomware Mastermind That Hit 1,500 Systems, The420.in.

• U.S Charges Black Kingdom Ransomware Admin for Hacking Microsoft Exchange Servers, CybersecurityNews.

• U.S. Charges Yemeni Hacker Behind Black Kingdom Ransomware Targeting 1,500 Systems, The Hacker News.

• US Indicts Black Kingdom Hacker for Exchange Hacking Tear, GovInfoSecurity.

• DOJ Charges a Yemeni for Black Kingdom Ransomware Attacks, TechNadu.