In a move against international cybercrime, the U.S. Department of Justice (DoJ) announced charges against Rami Khaled Ahmed, a Yemeni national accused of unleashing Black Kingdom ransomware against 1,500 systems worldwide. Targets included a medical billing company in California, a ski resort in Oregon, a school district in Pennsylvania, and a health clinic in Wisconsin.
Ahmed allegedly exploited Microsoft Exchange Server’s ProxyLogon vulnerability to infect networks between March 2021 and June 2023. The malware encrypted sensitive data or claimed to steal it, followed by ransom demands — typically $10,000 in Bitcoin, payable to cryptocurrency wallets under Ahmed’s control. Victims were required to send proof of payment via a designated Black Kingdom email.
ALSO READ: Call for Cyber Experts: Join FCRF Academy as Trainers and Course Creators
According to the DoJ, Ahmed faces three federal charges: conspiracy, intentional damage to a protected computer, and threatening such damage. Each count carries a maximum 5-year prison term.
Primitive Yet Potent: Black Kingdom’s Malware Methods
Cybersecurity researchers, including teams from Microsoft and Sophos, have tracked Black Kingdom — also known as Pydomer — as a rudimentary but effective ransomware variant. It was the first known ransomware to exploit ProxyLogon vulnerabilities and later pivoted to target Pulse Secure VPN flaws (CVE-2019-11510).
Attackers often deployed the ransomware using PowerShell commands and web shells, showcasing behavior consistent with amateur cybercriminals or “script kiddies.” Notably, in 2021, a Nigerian threat actor was caught attempting to recruit company insiders with a $1 million Bitcoin offer to install Black Kingdom malware internally — underscoring the evolving insider threat landscape.
The FBI, with support from the New Zealand Police, led the investigation into Ahmed’s operations. He is believed to reside in Yemen and remains at large.
A Surge in Ransomware, But Fewer Ransoms Paid
Ahmed’s indictment comes during an era of intense global ransomware activity, with groups like Scattered Spider, 764, and DragonForce also facing scrutiny. However, new trends show a decline in ransom payouts despite the rising frequency of attacks.
Despite this shift, Check Point reported 2,289 ransomware incidents in Q1 2025, a 126% increase from Q1 2024. However, March 2025 saw a 32% drop month-over-month, indicating fluctuating attack volumes.
Regions most affected:
-
North America & Europe: Over 80% of attacks
-
Targeted sectors: Consumer goods, business services, manufacturing, healthcare, and construction
Global Crackdown Accelerates
Ahmed’s case is part of a broader crackdown:
-
Ukrainian Artem Stryzhak, a Nefilim ransomware affiliate, extradited from Spain.
-
Tyler Buchanan, tied to Scattered Spider, extradited from Spain for wire fraud.
-
764 child exploitation group leaders arrested in the U.S.
-
Cambodia’s HuiOne Group blacklisted by U.S. Treasury for laundering DPRK-linked cybercrime proceeds.
As ransomware cartels fragment, cybersecurity experts are noticing a rise in decentralized, lone-wolf attackers. This trend poses new challenges as law enforcement ramps up global cooperation.
“The era of large, branded ransomware-as-a-service operations may be waning,” said Halcyon researchers. “But attackers are innovating fast with encryption-less extortion, insider threats, and modular malware.”
