1. Yemen Details
  2. Technology
on Saturday 3 May, 2025

U.S. Charges Yemeni Hacker Behind Black Kingdom Ransomware Targeting 1,500 Systems

by : Hacker News

The U.S. Department of Justice (DoJ) on Thursday announced charges against a 36-year-old Yemeni national for allegedly deploying the Black Kingdom ransomware against global targets, including businesses, schools, and hospitals in the United States.

Rami Khaled Ahmed of Sana'a, Yemen, has been charged with one count of conspiracy, one count of intentional damage to a protected computer, and one count of threatening damage to a protected computer. Ahmed is assessed to be currently living in Yemen.

"From March 2021 to June 2023, Ahmed and others infected computer networks of several U.S.-based victims, including a medical billing services company in Encino, a ski resort in Oregon, a school district in Pennsylvania, and a health clinic in Wisconsin," the DoJ said in a statement.

Ahmed is accused of developing and deploying the ransomware by exploiting a vulnerability in Microsoft Exchange Server known as ProxyLogon.

The ransomware worked by either encrypting data from victims' computer networks or claiming to steal that information from the networks. Post encryption, the ransomware dropped a ransom note on the system and directed the victim to send $10,000 worth of Bitcoin to a cryptocurrency address controlled by a co-conspirator.

Victims were also allegedly asked to send proof of the payment to a Black Kingdom email address. The ransomware is estimated to have been delivered on about 1,500 computer systems in the U.S. and elsewhere.

Also tracked under the name Pydomer, the ransomware family has been previously linked to attacks taking advantage of Pulse Secure VPN vulnerabilities (CVE-2019-11510), Microsoft revealed in late March 2021, noting that it was the first existing ransomware family to capitalize on the ProxyLogon flaws.

Cybersecurity vendor Sophos described the Black Kingdom as "somewhat rudimentary and amateurish in its composition," with the attackers leveraging the ProxyLogon vulnerability to deploy web shells, which were then used to issue PowerShell commands to download the ransomware.

It also said the activity bears all the hallmarks of a "motivated script-kiddie." Then later that August, a Nigerian threat actor was observed attempting to recruit employees by offering them to pay $1 million in Bitcoin to deploy Black Kingdom ransomware on companies' networks as part of an insider threat scheme.

If convicted, Ahmed faces a maximum sentence of five years in federal prison for each count. The case is being investigated by the U.S. Federal Bureau of Investigation (FBI) with assistance from the New Zealand Police.

The charges come amid a raft of announcements from U.S. government authorities against various criminal activities -

See Also
EU slaps fines on Apple and Meta, risking Trump fury
Russia is upping hybrid attacks against Europe, Dutch intelligence says
Trump gives TikTok extra 75 days to find buyer
Justice Department charges 10 hackers, 2 Chinese officials in broad cyberespionage campaign targeting US agencies
Most read
Israeli Military Conducts Dozens of Airstrikes Across Yemen
Ukraine says it shot down Russian Su-30 fighter jet from sea drone for first time
Netanyahu vows response after Houthi missile hits near Israel's main airport
UN Envoy Urges Israel To Halt Syria Attacks 'At Once'
Yemeni Forces Seize Weapons-Laden Boat Bound for Houthis