Pierluigi Paganini May 05, 2025

A 36-year-old Yemeni man behind Black Kingdom ransomware is indicted in the U.S. for 1,500 attacks on Microsoft Exchange servers.

U.S. authorities have indicted Rami Khaled Ahmed (aka “Black Kingdom,” of Sana’a, Yemen), a 36-year-old Yemeni national, suspected of being the administrator of the Black Kingdom ransomware operation. He is believed to have carried out 1,500 attacks on Microsoft Exchange servers worldwide.

The FBI is investigating the case with the help of the New Zealand Police.

The man is accused of having deployed the Black Kingdom ransomware against computer servers owned organizations worldwide, including businesses, schools, and hospitals in the United States, including a medical billing services company in the San Fernando Valley.

The man demanded ransom payments of $10,000 in Bitcoin from the victims.

The US authorities believe he is residing in Yemen.

“According to the indictment, from March 2021 to June 2023, Ahmed and others infected computer networks of several U.S.-based victims, including a medical billing services company in Encino, a ski resort in Oregon, a school district in Pennsylvania, and a health clinic in Wisconsin. Ahmed developed and deployed Black Kingdom ransomware to exploit a vulnerability in Microsoft Exchange.” reads the press release published by DoJ. “The ransomware either encrypted data from victims’ computer networks or claimed to take that data from the networks. When the malware was successful, the ransomware then created a ransom note on the victim’s system that directed the victim to send $10,000 worth of Bitcoin to a cryptocurrency address controlled by a co-conspirator and to send proof of this payment to a Black Kingdom email address.”

If convicted, Ahmed faces up to five years in federal prison for each charge.

Black Kingdom ransomware was first spotted in late February 2020 by security researcher GrujaRS, the ransomware encrypts files and appends the .DEMON extension to filenames of the encrypted documents. In June 2020, Black Kingdom ransomware operators started targeting organizations using unpatched Pulse Secure VPN software to deploy their malware.

In March 2021, the group, leveraging the availability online of the ProxyLogon PoC exploit code, expanded its operations targeting vulnerable Exchange mail servers.

The popular researcher Marcus Hutchins first reported the activity of the Black Kingdom group.

The expert pointed out that the ransomware gang was dropping a ransom note on vulnerable installs demanding a payment of $10,000 worth of Bitcoin, but for unknown reasons, the files were not encrypted. Unfortunately, according to security experts, the group now fixed its problems and can encrypt the files on compromised Exchange servers.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)