U.S. Indicts Black Kingdom Ransomware Developer Behind 1,500 Microsoft Exchange Attacks

The U.S. has indicted a Yemeni national for operating Black Kingdom ransomware, targeting Microsoft Exchange servers in 1,500 global attacks demanding $10,000 in Bitcoin.
U.S. Indicts Black Kingdom Ransomware Developer Behind 1,500 Microsoft Exchange Attacks
Table of Contents
    Add a header to begin generating the table of contents

    Yemeni National Charged in Black Kingdom Ransomware Campaign

    The U.S. Department of Justice has indicted a 36-year-old Yemeni national, Rami Khaled Ahmed, for allegedly developing and operating the Black Kingdom ransomware, which was used in 1,500 global attacks, including multiple U.S.-based organizations.

    Ahmed is accused of exploiting known vulnerabilities in Microsoft Exchange servers to deploy ransomware and demand $10,000 in Bitcoin from each victim.


    Attack Campaign Targeted U.S. Critical Sectors

    According to the indictment, Ahmed and others conducted attacks between March 2021 and June 2023. Victims included:

    • A medical billing services company in Encino, California
    • A ski resort in Oregon
    • A school district in Pennsylvania
    • A health clinic in Wisconsin

    In each successful intrusion, the ransomware would create a ransom note instructing victims to send Bitcoin to an address controlled by a co-conspirator and email proof of payment to a designated Black Kingdom email address.

    “When the malware was successful, the ransomware then created a ransom note… directing the victim to send $10,000 worth of Bitcoin,” the DOJ stated.


    Black Kingdom Used ProxyLogon Vulnerabilities in Microsoft Exchange

    The malware exploited a critical Microsoft Exchange flaw known as ProxyLogon, a set of vulnerabilities first disclosed in early 2021. These include:

    • CVE-2021-26855: Server-Side Request Forgery
    • CVE-2021-26857: Insecure deserialization for SYSTEM-level privilege escalation
    • CVE-2021-26858 & CVE-2021-27065: Arbitrary file write enabling web shell deployment

    The campaign was first reported in March 2021 by security researcher Marcus Hutchins, who discovered Black Kingdom using web shells on vulnerable Exchange servers.

    Microsoft later confirmed that at least 1,500 Exchange servers had been compromised using this method.


    Previous Exploits Used Pulse Secure VPN Flaw

    In a prior campaign dating back to June 2020, Black Kingdom was also linked to attacks exploiting CVE-2019-11510, a critical vulnerability in Pulse Secure VPN, allowing attackers to breach networks and deploy ransomware payloads.


    U.S. Charges and Potential Sentence

    Ahmed now faces charges of:

    • Conspiracy to commit computer fraud
    • Intentional damage to a protected computer
    • Threatening to damage a protected computer

    Each count carries a maximum sentence of five years, with a potential total of 15 years in federal prison if convicted.

    Ahmed is believed to currently reside in Yemen, according to the Department of Justice.

    Related Posts