US indicts Yemeni man in Black Kingdom ransomware attacks

A 36-year-old man believed to be residing in Yemen participated in the Black Kingdom ransomware operation over a prolific two-year span, U.S. prosecutors said this week.

The U.S. Attorney's Office for the Central District of California announced charges Thursday against Rami Khaled Ahmed for allegedly helping to develop and deploy Black Kingdom, which spread to “approximately 1,500 computer systems” in the U.S. and elsewhere.

The U.S. victims included a medical billing services company in Encino, California, as well as a ski resort in Oregon, a school district in Pennsylvania and a health clinic in Wisconsin, prosecutors said.

Cybersecurity researchers warned about a burst of activity of Black Kingdom in March 2021 as the gang targeted Microsoft Exchange servers. Analysts at Sophos said at the time that the malware was “somewhat rudimentary and amateurish in its composition, but it can still cause a great deal of damage.”

Prosecutors did not name any other suspects Thursday.

“The ransomware either encrypted data from victims’ computer networks or claimed to take that data from the networks,” prosecutors said. “When the malware was successful, the ransomware then created a ransom note on the victim’s system that directed the victim to send $10,000 worth of Bitcoin to a cryptocurrency address controlled by a co-conspirator and to send proof of this payment to a Black Kingdom email address.”

Ahmed was part of the operation from March 2021 until at least June of 2023, prosecutors said. If apprehended, he faces three charges: one count of conspiracy, one count of intentional damage to a protected computer and one count of threatening damage to a protected computer. Each count comes with a prison sentence of up to five years.

The U.S. government has made several cybersecurity-related announcements this week as much of the industry gathered in San Francisco for the annual RSA Conference:

• The Treasury Department proposed cutting off U.S. access to a Cambodian financial institution over money laundering accusations.
•  A suspect in the Nefilim ransomware operation was extradited to face charges in a Brooklyn courtroom.
• An Iranian national was charged for his alleged role in founding and running Nemesis Market, a long-running dark web bazaar.
• Federal authorities arrested two people for allegedly running a core subgroup of 764, a global cybercrime and extremism community.

• A California man pleaded guilty to hacking a Disney employee’s personal computer in 2024 and pilfering more than 1 terabyte of confidential data.