A Yemeni national, Rami Khaled Ahmed, aged 36, has been indicted by federal authorities in the Central District of California for allegedly orchestrating a cyberattack campaign using Black Kingdom ransomware to extort victims, the U.S. Department of Justice announced.
Ahmed is accused of deploying Black Kingdom malware on approximately 1,500 computer systems across the United States and globally between March 2021 and June 2023.
The ransomware exploited vulnerabilities in Microsoft Exchange servers, allowing attackers to gain remote access, install web shells, and execute malicious scripts.
.png
)
Victims included a medical billing company in Encino, California, an Oregon ski resort, a Pennsylvania school district, and a Wisconsin health clinic.
Black Kingdom Ransomware Admin Charged
Black Kingdom is coded in Python and compiled to an executable using PyInstaller. While analyzing the code statically, we found that most of the ransomware logic was coded into a file named 0xfff.py. The ransomware is written in Python 3.7.
The malware encrypted files, appending random extensions like “.DEMON” or “.black_kingdom,” and left ransom notes demanding $10,000 in Bitcoin for decryption keys. The notes also threatened to leak stolen data if payments were not made.
“The ransomware either encrypted data from victims’ computer networks or claimed to take that data from the networks. When the malware was successful, the ransomware then created a ransom note on the victim’s system that directed the victim to send $10,000 worth of Bitcoin to a cryptocurrency address controlled by a co-conspirator and to send proof of this payment to a Black Kingdom email address.” DOJ said.
In June 2020, Black Kingdom operators continued targeting Pulse Secure VPN vulnerabilities, breaching enterprise networks. Despite its simple design, coded in Python and compiled into Windows executables, it caused significant disruption, with some victims paying ransoms, including one recorded payment of $9,400 in Bitcoin.
Its basic code lacked checks to prevent re-encryption, sometimes encrypting files multiple times, complicating decryption efforts. In some cases, it deployed scareware, dropping ransom notes without encrypting files to trick victims into paying. A hardcoded encryption key allowed some victims to decrypt files without payment
Black Kingdom’s 2021 campaign used web shells to access Exchange servers, executing scripts to download ransomware. The ransomware avoided encrypting critical system folders but failed to mark encrypted files, risking data loss from multiple encryptions.
It also attempted to delete system logs to evade detection. Victims faced ransom demands of 0.052 to 0.19 Bitcoin (approximately $500 to $10,000), with payments directed to a static Bitcoin address that saw limited transactions, suggesting low success rates.
Ahmed faces charges of conspiracy, intentional damage to a protected computer, and threatening damage to a protected computer, with a potential maximum sentence of 15 years if convicted.
He is believed to be in Yemen, and international efforts are underway to apprehend him. The FBI’s Los Angeles Field Office led the investigation. Experts urge organizations to patch systems promptly, deploy monitoring tools, and maintain backups to mitigate ransomware risks.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
