This was first reported in March 2021 by researcher Marcus Hutchins, who discovered web shells deployed by Black Kingdom ransomware operators on Exchange servers vulnerable to ProxyLogon attacks. A 36-year-old Yemeni national, who is believed to be the developer and primary operator of 'Black Kingdom' ransomware, has been indicted by the United States for conducting 1,500 attacks on Microsoft Exchange servers. "When the malware was successful, the ransomware then created a ransom note on the victim's system that directed the victim to send $10,000 worth of Bitcoin to a cryptocurrency address controlled by a co-conspirator and to send proof of this payment to a Black Kingdom email address," reads another part of the announcement. The U.S. DoJ highlights that Ahmed designed Black Kingdom ransomware to exploit a vulnerability in Microsoft Exchange for initial access to targeted computers. The suspect, Rami Khaled Ahmed, is accused of deploying the Black Kingdom malware on roughly 1,500 computers in the United States and abroad, demanding ransom payments of $10,000 in Bitcoin. "According to the indictment, from March 2021 to June 2023, Ahmed and others infected computer networks of several U.S.-based victims, including a medical billing services company in Encino, a ski resort in Oregon, a school district in Pennsylvania, and a health clinic in Wisconsin," explains a U.S. Department of Justice announcement. In June 2020, it was revealed that Black Kingdom targeted CVE-2019-11510, a critical vulnerability affecting Pulse Secure VPN, to breach corporate networks and deploy their file lockers. For his Black Kingdom attacks, Ahmed now faces charges of conspiracy, intentional damage to a protected computer, and threatening damage to a protected computer. Soon, Microsoft confirmed that Black Kingdom had compromised 1,500 Exchange servers by leveraging ProxyLogon flaws.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Fri, 02 May 2025 14:35:10 +0000