Cyber Blog

WASHINGTON, D.C. — The U.S. Department of Justice (DoJ) has charged a Yemeni national with orchestrating a global ransomware campaign that compromised roughly 1,500 computer systems, including critical infrastructure in the United States.

Rami Khaled Ahmed, 36, of Sana’a, Yemen, faces federal charges including conspiracy, intentional damage to a protected computer, and threatening to damage a protected computer. He is believed to still reside in Yemen.

According to the DoJ, from March 2021 through June 2023, Ahmed and his associates deployed the Black Kingdom ransomware to disrupt networks across various sectors. Targets included a medical billing company in California, a ski resort in Oregon, a Pennsylvania school district, and a health clinic in Wisconsin.

Ahmed allegedly exploited the ProxyLogon vulnerability in Microsoft Exchange Server to gain unauthorized access and install the ransomware. Once deployed, Black Kingdom either encrypted victims’ data or claimed to have stolen it, demanding a $10,000 Bitcoin payment in exchange for not leaking or destroying the information.

Victims were instructed to send payment proof to a designated Black Kingdom email address. The malware is believed to have impacted systems both in the U.S. and abroad.

Black Kingdom, also known as Pydomer, has previously been associated with attacks exploiting vulnerabilities in Pulse Secure VPN and Microsoft products. Microsoft identified it in 2021 as one of the first ransomware strains to leverage the ProxyLogon exploit.

Cybersecurity firm Sophos characterized the malware as “rudimentary” and suggested it may have been operated by less-sophisticated attackers, or so-called “script kiddies.” In August 2021, reports surfaced of a Nigerian actor attempting to recruit corporate insiders with a $1 million Bitcoin bribe to deploy the ransomware internally.

If convicted, Ahmed could face up to five years in prison per charge. The case is being investigated by the FBI, with assistance from New Zealand authorities.

---

Wave of Cybercrime Prosecutions and Ransomware Crackdowns

Ahmed’s indictment is part of a broader crackdown on global cybercrime:

• Ukrainian national Artem Stryzhak was charged with using Nefilim ransomware. Arrested in Spain in 2024, he was extradited to the U.S. on April 30, 2025.
• British citizen Tyler Robert Buchanan, linked to the Scattered Spider hacking group, was also extradited from Spain and faces charges related to wire fraud and identity theft.
• Leonidas Varagiannis and Prasan Nepal, leaders of the online child extortion group 764, were arrested for distributing child sexual abuse material. Another member, Richard Anthony Reyna Densmore, was previously sentenced to 30 years in prison.
• The HuiOne Group, a Cambodia-based conglomerate, was designated a major money laundering threat by the U.S. Treasury for aiding cybercrime syndicates and romance scams linked to North Korea.

---

Ransomware Landscape Shifts Amid Law Enforcement Pressure

Despite these prosecutions, ransomware remains a persistent global threat. Analysts report growing decentralization in cybercriminal operations, with many former ransomware-as-a-service (RaaS) affiliates acting independently to avoid detection.

According to Verizon’s 2025 Data Breach Investigations Report, ransomware was involved in 44% of breaches in 2024, a jump from 32% the previous year. Encouragingly, more organizations are refusing to pay, with 64% of victims declining ransom payments, up from 50% two years ago.

Coveware reported that while the average ransom payment in Q1 2025 was $552,777 (a slight dip from the previous quarter), the median payment rose 80% to $200,000, indicating a wider gap between high- and low-dollar payouts.

Ransomware resolution rates have steadily declined—just 27% of cases in early 2025 resulted in ransom payment, compared to 85% in 2019.

Even so, attack volumes are surging. Check Point noted 2,289 ransomware incidents in Q1 2025—a 126% year-over-year increase, though March saw a 32% month-over-month dip. North America and Europe remain the most targeted regions, with consumer goods, manufacturing, healthcare, and construction industries facing the highest risk.

“Ransomware incidents are hitting record levels,” said Dr. Darren Williams, CEO of BlackFog. “While the groups may change, their objective remains the same: data theft and extortion.”