Full Report
A man believed to be living in Yemen is accused of developing the ransomware and infecting about 1,500 computer systems in the U.S. and elsewhere between March 2021 and June 2023. The post Federal prosecutors indict alleged head of Black Kingdom ransomware appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Black Kingdom Ransomware Operator (Rami Khaled Ahmed)
## Attribution & Identity
The alleged head of the Black Kingdom ransomware operation is identified as **Rami Khaled Ahmed**, a 36-year-old Yemeni national, believed to be residing in Yemen. He has been federally indicted by the U.S. Department of Justice (DOJ) under charges including conspiracy, intentional damage to a protected computer, and threatening damage to a protected computer. The indictment also mentions unnamed **co-conspirators**.
## Activity Summary
The primary activity described relates to the development and deployment of the **Black Kingdom ransomware** strain.
* **Timeframe:** Between March 2021 and June 2023.
* **Scope:** Infections affecting approximately **1,500 computer systems** in the United States and globally.
* **Extortion:** Successful encryption of data or exfiltration of data, followed by a ransom note demanding **$10,000 worth of Bitcoin** to be sent to a cryptocurrency address controlled by a co-conspirator, with proof of payment sent to a specific Black Kingdom email address.
* **Status:** The main subject, Ahmed, has not been arrested, and Yemen does not extradite individuals to the U.S.
## Tactics, Techniques & Procedures
- **Initial Access/Exploitation:** Allegedly developed and deployed Black Kingdom ransomware to exploit a **vulnerability in Microsoft Exchange**.
- **Impact:** Data encryption or data exfiltration from victim networks.
- **Extortion:** Demanding $10,000 in Bitcoin via ransom notes.
- **Evidence of MITRE ATT&CK IDs** were not explicitly provided in the text.
## Targeting
- **Sectors:** Businesses, schools, and hospitals.
- **Geography:** United States and "elsewhere" (global organizations).
- **Victims:** Specific victims cited include a medical billing services company in California, a ski resort in Oregon, a school district in Pennsylvania, and a health clinic in Wisconsin.
## Tools & Infrastructure
- **Malware families used:** **Black Kingdom** ransomware.
- **Infrastructure (C2, domains, IPs):**
- Cryptocurrency address for ransom payment (Bitcoin).
- A specific **Black Kingdom email address** for proof of payment submission.
## Implications
The indictment signifies a significant law enforcement effort against ransomware actors, even when operating from jurisdictions where arrest and extradition are challenging (like Yemen). The wide scope of disruption (1,500 systems) across critical sectors (healthcare, education) highlights the persistent, high-impact threat posed by ransomware operations utilizing easily exploitable perimeter technologies like Microsoft Exchange vulnerabilities.
## Mitigations
- Patching and securing **Microsoft Exchange** servers against known vulnerabilities is paramount, as this was the exploitation vector used by the actor.
- Organizations should maintain robust data backups and incident response plans covering data encryption/exfiltration scenarios.
- Monitoring for known Black Kingdom ransom note patterns and associated cryptocurrency behaviors may aid detection.