The United States Department of Justice (DoJ) has announced charges against Rami Khaled Ahmed, a 36-year-old Yemeni national, for his alleged involvement in deploying the Black Kingdom ransomware against numerous targets worldwide, including businesses, educational institutions, and healthcare facilities within the United States.
Ahmed faces charges of conspiracy, intentional damage to protected computers, and threatening damage to protected computers. He is believed to be residing in Sana’a, Yemen. According to the DoJ, between March 2021 and June 2023, Ahmed and his associates infiltrated the computer networks of several U.S.-based entities, such as a medical billing services company in Encino, California; a ski resort in Oregon; a school district in Pennsylvania; and a health clinic in Wisconsin.
The Black Kingdom ransomware exploited a critical vulnerability in Microsoft Exchange Server, known as ProxyLogon, to gain unauthorized access to systems. Once inside, the ransomware encrypted data or claimed to have stolen information from the victims’ networks. Victims were then presented with a ransom note demanding $10,000 in Bitcoin, directing them to send the payment to a cryptocurrency address controlled by a co-conspirator and to provide proof of payment to a specified email address. It is estimated that the ransomware was deployed on approximately 1,500 computer systems across the U.S. and other countries.
Also known as Pydomer, the Black Kingdom ransomware was among the first to exploit the ProxyLogon vulnerabilities. In March 2021, Microsoft identified this ransomware family as leveraging these flaws to infiltrate systems. Cybersecurity firm Sophos characterized Black Kingdom as somewhat rudimentary and amateurish, noting that attackers used the ProxyLogon vulnerability to deploy web shells, which were then utilized to execute PowerShell commands to download the ransomware. Sophos further described the activity as indicative of a motivated script-kiddie.
In August 2021, a Nigerian threat actor was observed attempting to recruit insiders by offering $1 million in Bitcoin to deploy Black Kingdom ransomware within corporate networks, highlighting the evolving tactics of cybercriminals.
If convicted, Ahmed faces a maximum sentence of five years in federal prison for each count. The case is being investigated by the Federal Bureau of Investigation (FBI), with assistance from the New Zealand Police.
This indictment is part of a broader effort by U.S. authorities to combat cybercrime. Recently, the DoJ unsealed an indictment against Ukrainian citizen Artem Stryzhak for deploying Nefilim ransomware since June 2021. Stryzhak was arrested in Spain in June 2024 and extradited to the U.S. on April 30, 2025. Additionally, British national Tyler Robert Buchanan, suspected of being a member of the Scattered Spider cybercrime group, was extradited from Spain to the U.S. to face charges related to wire fraud and aggravated identity theft.
These actions underscore the U.S. government’s commitment to identifying and prosecuting individuals involved in cyberattacks that threaten critical infrastructure and public safety.
