Yemeni National Charged in Black Kingdom Ransomware Campaign
The U.S. Department of Justice has indicted a 36-year-old Yemeni national, Rami Khaled Ahmed, for allegedly developing and operating the Black Kingdom ransomware, which was used in 1,500 global attacks, including multiple U.S.-based organizations.
Ahmed is accused of exploiting known vulnerabilities in Microsoft Exchange servers to deploy ransomware and demand $10,000 in Bitcoin from each victim.
Attack Campaign Targeted U.S. Critical Sectors
According to the indictment, Ahmed and others conducted attacks between March 2021 and June 2023. Victims included:
- A medical billing services company in Encino, California
- A ski resort in Oregon
- A school district in Pennsylvania
- A health clinic in Wisconsin
In each successful intrusion, the ransomware would create a ransom note instructing victims to send Bitcoin to an address controlled by a co-conspirator and email proof of payment to a designated Black Kingdom email address.
“When the malware was successful, the ransomware then created a ransom note… directing the victim to send $10,000 worth of Bitcoin,” the DOJ stated.
Black Kingdom Used ProxyLogon Vulnerabilities in Microsoft Exchange
The malware exploited a critical Microsoft Exchange flaw known as ProxyLogon, a set of vulnerabilities first disclosed in early 2021. These include:
- CVE-2021-26855: Server-Side Request Forgery
- CVE-2021-26857: Insecure deserialization for SYSTEM-level privilege escalation
- CVE-2021-26858 & CVE-2021-27065: Arbitrary file write enabling web shell deployment
The campaign was first reported in March 2021 by security researcher Marcus Hutchins, who discovered Black Kingdom using web shells on vulnerable Exchange servers.
Microsoft later confirmed that at least 1,500 Exchange servers had been compromised using this method.
Previous Exploits Used Pulse Secure VPN Flaw
In a prior campaign dating back to June 2020, Black Kingdom was also linked to attacks exploiting CVE-2019-11510, a critical vulnerability in Pulse Secure VPN, allowing attackers to breach networks and deploy ransomware payloads.
U.S. Charges and Potential Sentence
Ahmed now faces charges of:
- Conspiracy to commit computer fraud
- Intentional damage to a protected computer
- Threatening to damage a protected computer
Each count carries a maximum sentence of five years, with a potential total of 15 years in federal prison if convicted.
Ahmed is believed to currently reside in Yemen, according to the Department of Justice.