In May 2025, the U.S. Department of Justice (DoJ) charged 36-year-old Rami Khaled Ahmed, a Yemeni national, for deploying the Black Kingdom ransomware. This attack, which targeted various U.S.-based victims, spanned from March 2021 to June 2023. Ahmed’s ransomware exploited a vulnerability in Microsoft Exchange Server, known as ProxyLogon, affecting businesses, schools, and medical services. He is charged with conspiracy, intentional damage, and threats to damage protected computers.
The ransomware infected approximately 1,500 systems, demanding Bitcoin payments from victims in exchange for data decryption.
While some systems only had encrypted data, others were made to believe their information was stolen. Ahmed allegedly used web shells and PowerShell commands to execute the ransomware after exploiting ProxyLogon vulnerabilities. The DoJ’s investigation links Ahmed to the broader Pydomer ransomware family, which has been connected to several significant cyberattacks.
If convicted, Ahmed faces up to five years in federal prison for each charge, and the case is under investigation by the FBI. The case aligns with other recent cybersecurity actions, including arrests related to the Nefilim ransomware, wire fraud, and child exploitation crimes. As ransomware attacks grow, the U.S. authorities continue to target international cybercriminals.
These efforts reflect a global initiative to combat increasing cybercrime activities and enhance cooperation between law enforcement agencies.
The surge in ransomware incidents highlights the ongoing challenges of cybersecurity. According to Verizon, ransomware involvement in breaches rose from 32% to 44% in 2024. Despite this, fewer organizations are paying ransoms, with only 36% of victims settling the demand in 2024. A shift towards decentralized ransomware operations and a decline in ransom payments suggest evolving trends in cybercrime, which are likely to persist despite ongoing law enforcement efforts.
Reference:
