U.S. Charges Yemeni Hacker Linked to Black Kingdom Ransomware Affecting 1,500 Systems
On May 3, 2025, the U.S. Department of Justice (DoJ) revealed charges against Rami Khaled Ahmed, a 36-year-old national from Yemen, for allegedly deploying the notorious Black Kingdom ransomware. This malicious software targeted a wide array of entities globally, with a significant focus on businesses, educational institutions, and healthcare facilities within the United States.
Ahmed, who is believed to be residing in Sana’a, Yemen, faces multiple charges, including conspiracy to commit a cybercrime, intentional damage to a protected computer, and threatening damage to a protected computer. According to the DoJ, from March 2021 to June 2023, Ahmed, along with accomplices, compromised various U.S.-based victims, including a medical billing service in Encino, California, a ski resort in Oregon, a school district in Pennsylvania, and a health clinic in Wisconsin.
The investigation indicates that Ahmed exploited a vulnerability in Microsoft Exchange Server known as ProxyLogon, which enabled him to gain initial access to vulnerable networks. This access likely facilitated the persistence of the malware within the systems of affected organizations. By leveraging this vulnerability, the ransomware effectively encrypted data stored on compromised computers, disrupting operations and leading to significant financial consequences for the victims.
The nature of the attacks suggests the employment of various MITRE ATT&CK tactics. Initial access through the exploitation of the ProxyLogon vulnerability represents a critical first step in the adversary’s approach. Following this, Ahmed’s team might have used techniques associated with credential access, enabling them to navigate and manipulate the affected networks more freely.
The choice of targets underscores the vulnerabilities present across multiple sectors, particularly in healthcare and education, where operational disruptions due to ransomware can have dire consequences. The broad impact of the Black Kingdom ransomware highlights the urgent need for organizations to adopt comprehensive cybersecurity measures, keeping in mind potential attack vectors and strengthening defenses against prevalent exploits.
As cyber threats continue to evolve, it becomes essential for business leaders and IT professionals to remain vigilant about system vulnerabilities and to implement robust incident response plans. The charges against Ahmed serve as a stark reminder of the persistent risks in the cybersecurity landscape and the importance of proactive measures to safeguard critical infrastructure.
