Post

Yemeni National Indicted for Black Kingdom Ransomware Attacks on Microsoft Exchange Servers

Posted
By Tom Grant
3 min read
Yemeni National Indicted for Black Kingdom Ransomware Attacks on Microsoft Exchange Servers

TL;DR

  • A 36-year-old Yemeni man, Rami Khaled Ahmed, has been indicted in the U.S. for orchestrating over 1,500 ransomware attacks on Microsoft Exchange servers worldwide.
  • The FBI, with assistance from New Zealand Police, is investigating the case.
  • Ahmed demanded $10,000 in Bitcoin as ransom from his victims.

Yemeni National Indicted for Black Kingdom Ransomware Attacks

U.S. authorities have indicted Rami Khaled Ahmed, a 36-year-old Yemeni national, for his alleged role as the administrator of the Black Kingdom ransomware operation. Ahmed, also known as “Black Kingdom,” is suspected of conducting approximately 1,500 attacks on Microsoft Exchange servers globally1.

The FBI is leading the investigation in collaboration with the New Zealand Police. Ahmed is accused of deploying the Black Kingdom ransomware against various organizations, including businesses, schools, and hospitals in the United States. One of the affected entities is a medical billing services company in the San Fernando Valley2.

Ransom Demands and Operational Details

Ahmed demanded ransom payments of $10,000 in Bitcoin from his victims. According to the U.S. Department of Justice (DoJ), Ahmed and his accomplices exploited vulnerabilities in Microsoft Exchange servers to deploy the ransomware. The malware either encrypted data or claimed to exfiltrate it, leaving a ransom note directing victims to pay the Bitcoin ransom3.

The indictment covers the period from March 2021 to June 2023, during which Ahmed targeted multiple U.S.-based victims, including:

  • A medical billing services company in Encino
  • A ski resort in Oregon
  • A school district in Pennsylvania
  • A health clinic in Wisconsin

If convicted, Ahmed faces up to five years in federal prison for each charge4.

Evolution of Black Kingdom Ransomware

The Black Kingdom ransomware was first identified in late February 2020 by security researcher GrujaRS. The malware encrypts files and appends the .DEMON extension to the filenames of encrypted documents. In June 2020, the ransomware operators began targeting organizations using unpatched Pulse Secure VPN software5.

In March 2021, the group expanded its operations by exploiting the ProxyLogon vulnerability in Microsoft Exchange servers, significantly increasing the scope of their attacks6.

Expert Insights and Recent Developments

Cybersecurity expert Marcus Hutchins initially reported on the activities of the Black Kingdom group. Hutchins noted that while the group demanded a ransom of $10,000 in Bitcoin, the files were not initially encrypted due to unknown issues. However, security experts later confirmed that the group had resolved these issues and could encrypt files on compromised Exchange servers7.

Conclusion

The indictment of Rami Khaled Ahmed highlights the ongoing efforts by international law enforcement agencies to combat cybercrime. As ransomware attacks continue to pose a significant threat to organizations worldwide, collaboration between authorities and cybersecurity experts remains crucial in mitigating these risks.

References

For more details, visit the full article: source

  1. “Black Kingdom ransomware operation” (2025). “Black Kingdom Ransomware”. Security Affairs. Retrieved 2025-05-05. ↩︎

  2. “FBI is investigating the case with the help of the New Zealand Police.” (2025). “FBI Investigation”. Department of Justice. Retrieved 2025-05-05. ↩︎

  3. “The man demanded ransom payments of $10,000 in Bitcoin from the victims.” (2025). “Ransom Payments”. Department of Justice. Retrieved 2025-05-05. ↩︎

  4. “If convicted, Ahmed faces up to five years in federal prison for each charge.” (2025). “Potential Sentence”. Department of Justice. Retrieved 2025-05-05. ↩︎

  5. “Black Kingdom ransomware was first spotted in late February 2020 by security researcher GrujaRS.” (2025). “GrujaRS”. Security Affairs. Retrieved 2025-05-05. ↩︎

  6. “In March 2021, the group, leveraging the availability online of the ProxyLogon PoC exploit code, expanded its operations targeting vulnerable Exchange mail servers.” (2025). “ProxyLogon Exploit”. Security Affairs. Retrieved 2025-05-05. ↩︎

  7. “The expert pointed out that the ransomware gang was dropping a ransom note on vulnerable installs demanding a payment of $10,000 worth of Bitcoin, but for unknown reasons, the files were not encrypted.” (2025). “Ransomware Gang”. Security Affairs. Retrieved 2025-05-05. ↩︎

Cybersecurity & Data Protection, Malware
ransomware cybercrime microsoft exchange
This post is licensed under CC BY 4.0 by the author.