The U.S. Department of Justice (DoJ) has announced charges against Rami Khaled Ahmed, a 36-year-old Yemeni national. For allegedly deploying the Black Kingdom ransomware on various global targets, including businesses, schools, and hospitals in the U.S. Ahmed, residing in Sana’a, Yemen, faces charges including conspiracy, intentional damage to protected computers, and threatening damage to protected computers.
From March 2021 to June 2023, Ahmed is accused of infecting the computer networks of multiple U.S.-based victims, including a medical billing service in California, a ski resort in Oregon, a school district in Pennsylvania, and a health clinic in Wisconsin. The ransomware exploited vulnerabilities in Microsoft Exchange Server, specifically the ProxyLogon flaw, to deploy the malicious software, either encrypting or stealing the victims’ data. A ransom note would be placed on the system demanding $10,000 in Bitcoin, which would be sent to a cryptocurrency address controlled by Ahmed’s co-conspirators.
The ransomware family, also known as Pydomer, has been previously linked to attacks exploiting Pulse Secure VPN vulnerabilities. According to cybersecurity vendor Sophos, Black Kingdom’s design is described as rudimentary, relying on ProxyLogon to deploy web shells and issue PowerShell commands to download the ransomware.
If convicted, Ahmed could face up to five years in federal prison for each charge. The case is being investigated by the U.S. Federal Bureau of Investigation (FBI) with assistance from New Zealand Police.
This announcement is part of broader U.S. government actions against cybercriminals. Recently, other criminals have faced charges or extradition, such as Ukrainian citizen Artem Stryzhak, who was charged with deploying Nefilim ransomware, and Tyler Robert Buchanan, a British national linked to the Scattered Spider cybercrime group.
Ransomware remains a serious global threat. The DoJ’s announcement coincides with growing concerns over the increasing fragmentation of ransomware groups. Cybercriminals are moving away from large hierarchical groups and adopting more decentralized, independent operations. Despite ongoing law enforcement efforts, ransomware continues to pose a significant challenge for organizations. According to Verizon, 44% of breaches in 2024 involved ransomware, though a rising number of victims are choosing not to pay the ransom, with 64% of victim organizations refusing to pay.
In the first quarter of 2025, the average ransom payment was recorded at $552,777, a slight decrease from the previous quarter. However, the median ransom payment increased by 80% to $200,000. Despite these trends, ransomware remains a growing concern, with Q1 2025 seeing a 126% increase in reported incidents compared to the same period in 2024.
The sectors most targeted by ransomware include healthcare, business services, consumer goods, and industrial manufacturing, particularly in North America and Europe. Experts continue to warn of the challenges posed by this evolving and persistent cyber threat.
