The U.S. Department of Justice (DOJ) announced on Thursday accusations against the 36-year-old Yemeni national who allegedly deployed Black Kingdom ransomware against global targets, including US businesses, schools and hospitals.
Rami Khaled Ahmed of Sanaa, Yemen, is charged with one count of conspiracy, one count of intentional damage to a protected computer, and one count of threatening damage to a protected computer. Ahmed is currently rated as living in Yemen.
“From March 2021 to June 2023, Ahmed and others infected several US-based victim computer networks, including Encino’s medical billing services company, ski resorts in Oregon and medical clinics in Wisconsin,” the DOJ said in a statement.
Ahmed is accused of developing and deploying ransomware by exploiting a vulnerability in Microsoft Exchange Server, known as Proxylogon.
Ransomware worked by encrypting data from the victim’s computer network or claiming to steal that information from the network. After encryption, the ransomware dropped a ransom note on the system and instructed the victim to send $10,000 worth of Bitcoin to a cryptocurrency address managed by the conspirator.
The victim was also allegedly asked to send proof of payment to the Black Kingdom email address. Ransomware is estimated to have been delivered on approximately 1,500 computer systems in the US and elsewhere.
Additionally, the ransomware family, tracked under the name Pydomer, was previously linked to an attack that exploited the Pulse Secure VPN vulnerability (CVE-2019-11510). Microsoft was revealed in late March 2021, revealing that it was the first existing family of ransomware to capitalize on the proxy logoton flaw.
Cybersecurity vendor Sophos described Black Kingdom as “a somewhat rudimentary and amateur word in its configuration,” and attackers were used to exploit the vulnerability of the proxy logon to deploy a web shell and then issue PowerShell commands to download ransomware.
He also said the activity carries all the traits of a “motivated script kiddy.” It was then observed that after that August, Nigerian threat actors attempted to recruit employees by offering them to pay $1 million in Bitcoin to deploy Black Kingdom ransomware to a network of companies as part of an insider threat scheme.
If convicted, Ahmed faces a maximum sentence of five years in federal prison for each count. The incident is being investigated by the US Federal Bureau of Investigation (FBI) with support from the New Zealand Police.
The charges arise in announcements from US government officials of various criminal acts –
- Since becoming an affiliate in June 2021, DOJ has not sealed off the charges claiming Ukrainian citizen Artem Stryzhak using nephilim ransomware to attack attack companies. He was arrested in Spain in June 2024 and handed over to the US on April 30, 2025.
- Tyler Robert Buchanan, a British citizen suspected of being a member of the infamous scattered spider cybercrime group, has been extradited from Spain to the US to face charges related to wire fraud and aggravated identity theft. Buchanan was arrested in Spain in June 2024. The accusations against him and other scattered spider members were announced by the United States in November 2024.
- Two leaders of Leonidas Valagiannis (aka War), 21, Prasan Nepal (aka Trippy), 20, Children’s Tor Group 764 have been arrested and charged with directing and distributing Child Sexual Abuse Materials (CSAM). The two men have been accused of exploiting at least eight small victims.
- Another member of 764, Richard Anthony Reina Densmore, was sentenced in the United States for sexually exploiting a child in November 2024. Members of 764 are partnering with COM, a different collection of loosely related groups that commit financially motivated, sexual and violent crimes. It also contains scattered spiders.
- The US Treasury Department’s Financial Crime Enforcement Network (FINCEN) has designated Cambodia-based conglomerate Hoione Group as a “major money laundering concern system” for transnational Southeast Asian cybercrime gangs by promoting romance bait fraud and serving as a key section as a key node for the laundry procedures for Democrats. Huione Pay’s banking license was revoked by the National Bank of Cambodia in March 2025.
Ransomware attacks a surge as payoffs decrease
Development occurs as ransomware continues to be a permanent threat, as sustained law enforcement measures are causing major changes to observed tactics. This includes the increased frequency of unencrypted attacks and the tendency of cybercriminals to move away from traditional hierarchical groups in favour of a lonely approach.
“Ransomware operations are becoming increasingly decentralized, with the number of original affiliates choosing to operate independently, rather than remain bound by established groups,” Halcyon said.
“This shift is driven by several factors, including increased coordination of law enforcement, successful takedowns of key ransomware infrastructures, and wider push by actors to avoid attribution through brand rotations and unbranded campaigns.”
Data compiled by Verizon shows that 44% of all violations analyzed in 2024 are involved in ransomware stock usage from 32% in 2023. But there’s good news.
“In the 2024 calendar year, the median ransom paid increased to $115,000, down from the previous year’s $150,000,” Verizon said in its 2025 Data Breach Investigation Report (DBIR). “64% of victim organizations did not pay ransoms, which rose from 50% two years ago.”
According to Coveware, the average ransom payment for the first quarter of 2025 was $552,777, down 0.2% from the previous quarter. In contrast, media ransom payments have now come to 80% x $200,000.
“It rose in the first quarter of 2025 by procuring rates, decryption keys for companies that have chosen to pay the ransom or by suppressing threat actors from posting breached data to leaked sites,” the company said.
Ransomware payment resolution rates for this period fell 27% and 27%, down 85% in the first quarter 2019, 73% in the first quarter 2021, 46% in the first quarter 2022, 45% in the first quarter 2023, and 28% in the first quarter 2024.
“The attacks are still occurring and new groups continue to spin monthly, but the well-oiled ransomware machines built by the early RAAS groups are suffering from complications that are unlikely to resolve,” he added.
Despite these set-offs, the ransomware shows no signs of halt anytime soon. There were 2,289 reported cases in the 2025 quarter, an increase of 126% per checkpoint compared to 2024 quarter. However, ransomware attacks saw a 32% monthly drop in March 2025, with a total of 600 cases being charged.
North America and Europe account for more than 80% of cases. Consumer goods and services, business services, industrial manufacturing, healthcare, construction and engineering were the most targeted sectors of ransomware.
“Ransomware Incident Volumes are reaching unprecedented levels,” said Dr. Darren Williams, founder and CEO of Black Fog. “This presents an ongoing challenge for organizations dealing with attackers focused on confusion, data theft, and fear tor. Various groups emerge and disband, but they all focus on the same end goal, data removal.”
