Full Report
A man believed to be living in Yemen is accused of developing the ransomware and infecting about 1,500 computer systems in the U.S. and elsewhere between March 2021 and June 2023. The post Federal prosecutors indict alleged head of Black Kingdom ransomware appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Black Kingdom (Individual associated with the operation)
## Attribution & Identity
* **Identified Individual:** Rami Khaled Ahmed, a 36-year-old believed to be residing in Yemen.
* **Aliases/Association:** The individual is also known as "Black Kingdom" by the U.S. Attorney’s Office for the Central District of California.
* **Status:** Indicted by U.S. federal prosecutors (The DOJ). The actor has not been arrested, and Yemen does not extradite individuals to the U.S.
## Activity Summary
The accused individual allegedly developed and deployed the "Black Kingdom" ransomware against roughly 1,500 computer systems in the U.S. and globally between March 2021 and June 2023.
## Tactics, Techniques & Procedures
* **Initial Access/Exploitation:** Developed and deployed the Black Kingdom ransomware to exploit a vulnerability in **Microsoft Exchange**.
* **Impact:** The malware either encrypted data or exfiltrated (claimed to take) data from victim networks.
* **Extortion:** Upon success, the ransomware dropped a ransom note instructing victims to send **$10,000 worth of Bitcoin** to a specified cryptocurrency address and send proof of payment to a Black Kingdom email address.
* **Charges:** Conspiracy, intentional damage to a protected computer, and threatening damage to a protected computer.
## Targeting
* **Sectors:** Businesses, schools, and hospitals.
* Specific examples include a medical billing services company (California), a ski resort (Oregon), a school district (Pennsylvania), and a health clinic (Wisconsin).
* **Geography:** United States and "elsewhere" globally.
* **Victims:** Approximately 1,500 computer systems impacted across various sectors.
## Tools & Infrastructure
* **Malware Families Used:** Black Kingdom ransomware.
* **Infrastructure (C2, domains, IPs):**
* Ransom payments demanded in **Bitcoin**.
* Proof of payment submissions directed to a **Black Kingdom email address** (specific addresses were not detailed in the summary text).
## Implications
This case highlights ongoing efforts by U.S. authorities to prosecute the operators of ransomware strains that leverage known vulnerabilities (like those in Microsoft Exchange) for mass compromise, even when the suspect is located in a non-extraditing jurisdiction. The successful encryption/exfiltration of data from diverse critical sectors (healthcare, education) demonstrates the broad economic and operational damage potential of this specific ransomware variant.
## Mitigations
* Patching/Vulnerability Management, specifically targeting **Microsoft Exchange** vulnerabilities.
* Implementing robust data backup and recovery strategies to minimize impact from encryption events.
* Monitoring network traffic for signs of data exfiltration relating to ransomware activity.
* (General law enforcement/investigative support): Investigation was supported by the FBI with assistance from the New Zealand Police.