US Indicts Alleged Black Kingdom Ransomware Operator Behind Global Microsoft Exchange Attacks

Listen to this Post

Featured Image
U.S. authorities have charged a Yemeni national in connection with a sweeping international ransomware campaign that targeted Microsoft Exchange servers across the globe. Rami Khaled Ahmed, known online as “Black Kingdom,” allegedly orchestrated over 1,500 cyberattacks that compromised businesses, healthcare providers, and educational institutions—demanding ransom payments in Bitcoin in exchange for decryption keys or to prevent data exposure.

Ahmed, 36, is accused of spearheading the Black Kingdom ransomware operation between 2021 and 2023, exploiting widely-known vulnerabilities in Microsoft Exchange systems, including ProxyLogon. The malware encrypted data or falsely claimed to have exfiltrated sensitive information, demanding \$10,000 in cryptocurrency per infection. Though believed to be operating from Yemen, his attacks reached victims in the U.S., including a medical billing company in California, a ski resort in Oregon, and various educational institutions.

Assisted by the New Zealand Police, the FBI continues its investigation, highlighting the growing necessity for global cooperation in the fight against ransomware.

Black Kingdom Ransomware Campaign: Key Points

Rami Khaled Ahmed (aka “Black Kingdom”), a Yemeni national, is indicted by U.S. authorities for managing a prolific ransomware operation.
Allegedly responsible for over 1,500 attacks on Microsoft Exchange servers worldwide from March 2021 to June 2023.
Victims include: a medical billing firm in Encino, CA; a ski resort in Oregon; a Pennsylvania school district; and a Wisconsin health clinic.
Ahmed used the Black Kingdom ransomware to exploit known vulnerabilities, primarily ProxyLogon and unpatched Pulse Secure VPNs.
Once inside the system, the malware either encrypted files or pretended to have stolen them, then demanded \$10,000 in Bitcoin as ransom.
Ransom notes instructed victims to send proof of payment to a specific Black Kingdom email and cryptocurrency wallet.
First observed in February 2020 by researcher GrujaRS; activity later confirmed and expanded upon by Marcus Hutchins.

Initially, Black

If convicted, Ahmed faces up to five years in prison for each charge.
The investigation reflects the need for vigilant patching and proactive defense, especially around critical infrastructure like Exchange servers.
Authorities urge organizations to update their software, audit network activity, and implement stronger ransomware resilience protocols.
The collaboration with New Zealand Police emphasizes the international dimension of cybercrime law enforcement.

What Undercode Say:

From a threat intelligence standpoint, the Black Kingdom case offers a revealing look at the evolution of low-sophistication ransomware campaigns that transform into credible threats over time. Rami Khaled Ahmed’s operation didn’t begin with the technical finesse of ransomware syndicates like Conti or LockBit, yet his campaign had global impact due to its focus on widely available exploits like ProxyLogon.

The timeline is important here. Microsoft Exchange vulnerabilities became public in early 2021, and within days, threat actors—including Ahmed—began mass scanning and exploiting unpatched servers. Black Kingdom may have started as a rudimentary threat, but Ahmed’s team learned fast. Once their initial versions failed to encrypt files effectively, they quickly corrected course. This underscores a key lesson: cybercriminals iterate just like software developers.

Their relatively low ransom demand—\$10,000—is also telling. It’s a sweet spot: small enough that victims might consider paying rather than restoring from backups, but high enough to profit at scale across hundreds of victims. It also reflects a strategy often used by mid-tier ransomware operators targeting small-to-medium organizations who may lack sophisticated incident response capabilities.

What’s even more critical is how this campaign targeted sectors such as healthcare and education—industries notorious for underfunded cybersecurity defenses. Medical billing firms, public schools, and even ski resorts don’t usually operate with the resources necessary to fend off persistent ransomware campaigns, making them ideal targets for adversaries who prioritize volume over high-value individual hits.

The indictment comes amid a broader wave of law enforcement actions against cybercriminals, but the real test is whether this disrupts the ecosystem or simply creates a power vacuum for others to exploit. There’s no evidence Black Kingdom was a large operation; in fact, it could have been just Ahmed and a few collaborators. But it illustrates how even lone actors or small cells can wreak havoc with off-the-shelf code and publicly available exploits.

Defensive measures remain consistent: patch systems aggressively, monitor Exchange activity closely, and implement layered defenses. But the deeper challenge lies in international cooperation. Yemen presents jurisdictional hurdles for U.S. prosecutors, and even with an indictment, extradition may prove impossible. Law enforcement is catching up, but attribution without arrest does little to slow down attackers operating from hostile or unreachable territories.

The symbolic value of indicting Ahmed is powerful—it’s a signal to the broader threat actor community that impunity is not guaranteed. However, the practical limitations of cross-border enforcement raise questions about long-term deterrence. Unless defenders gain the upper hand in proactive mitigation and offensive cybersecurity (e.g., threat hunting, takedowns, sinkholing infrastructure), we will continue to see the rinse-repeat cycle of new actors exploiting known holes.

Fact Checker Results:

The U.S. Department of Justice officially announced the indictment in early May 2025.
ProxyLogon vulnerability was actively exploited by multiple threat actors from March 2021, consistent with the indictment’s timeline.
Security researcher Marcus Hutchins previously confirmed the Black Kingdom group’s tactics and failures, later corrected by the group.

Prediction:

Black Kingdom’s arrest

References:

Reported By: securityaffairs.com
Extra Source Hub:
https://www.discord.com
Wikipedia
Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram