Federal prosecutors indict alleged head of Black Kingdom ransomware

Federal prosecutors indicted a man believed to be living in Yemen with deploying ransomware against multiple U.S. and global organizations. Rami Khaled Ahmed, 36, allegedly infected businesses, schools and hospitals with “Black Kingdom” ransomware, U.S. prosecutors said Thursday.

The U.S. Attorney’s Office for the Central District of California charged Ahmed, also known as “Black Kingdom,” with conspiracy, intentional damage to a protected computer and threatening damage to a protected computer.

Prosecutors said Ahmed and unnamed co-conspirators transmitted Black Kingdom ransomware to about 1,500 computer systems in the United States and elsewhere. Ahmed allegedly developed and deployed Black Kingdom ransomware to exploit a vulnerability in Microsoft Exchange.

Victims of the Black Kingdom ransomware spree include a medical billing services company in California, a ski resort in Oregon, a school district in Pennsylvania and a health clinic in Wisconsin between March 2021 and June 2023, according to the Justice Department.

“The ransomware either encrypted data from victims’ computer networks or claimed to take that data from the networks,” prosecutors said. “When the malware was successful, the ransomware then created a ransom note on the victim’s system that directed the victim to send $10,000 worth of Bitcoin to a cryptocurrency address controlled by a co-conspirator and to send proof of this payment to a Black Kingdom email address.”

Authorities did not say how many victim organizations paid the extortion demand or how much money Ahmed, a Yemeni national, and his co-conspirators allegedly generated from the ransomware attacks. 

The DOJ said the FBI is investigating with assistance from the New Zealand Police. He faces up to five years in federal prison for each count in the indictment.

Despite the indictment, Ahmed has not been arrested and Yemen doesn’t extradite individuals to the U.S.