U.S. federal authorities have indicted a Yemeni national accused of conducting a global ransomware campaign that targeted more than 1,500 Microsoft Exchange servers, compromising systems at schools, hospitals, and businesses across multiple countries.
Rami Khaled Ahmed, 36, of Sana’a, Yemen, allegedly known online as “Black Kingdom” is accused of leading the ransomware operation that struck organizations in the United States and abroad. According to a Department of Justice (DoJ) press release, the campaign ran from March 2021 to June 2023 and capitalized on a known Microsoft Exchange vulnerability to deploy malicious code and extort victims.
Ahmed is alleged to have demanded ransom payments of $10,000 in Bitcoin from affected organizations. Victims were instructed to send proof of payment to an email address controlled by the ransomware group.
Among the known U.S. victims are:
- A medical billing services company in Encino, California
- A ski resort in Oregon
- A school district in Pennsylvania
- A healthcare clinic in Wisconsin
The FBI, working in collaboration with the New Zealand Police, led the investigation. Ahmed is believed to be residing in Yemen. If convicted, he faces up to five years in federal prison for each count.
Black Kingdom ransomware also referred called as “DemonWare” was first detected in February 2020 by cybersecurity researcher GrujaRS. It encrypts files and appends the “.DEMON” extension to filenames. By June 2020, attackers began exploiting vulnerabilities in unpatched Pulse Secure VPN software to deploy the malware. The group gained further notoriety in March 2021 when it began targeting Microsoft Exchange servers by using the ProxyLogon exploit, after its proof-of-concept (PoC) code became publicly available online.
Renowned cybersecurity expert Marcus Hutchins was among the first to report the group’s aggressive expansion in the wake of the ProxyLogon vulnerability disclosure.
Follow Cybersecurity88 on X and Linkedin for the latest cybersecurity news
