US indicts Black Kingdom ransomware admin for Microsoft Exchange attacks

This was first reported in March 2021 by researcher Marcus Hutchins, who discovered web shells deployed by Black Kingdom ransomware operators on Exchange servers vulnerable to ProxyLogon attacks. A 36-year-old Yemeni national, who is believed to be the developer and primary operator of 'Black Kingdom' ransomware, has been indicted by the United States for conducting 1,500 attacks on Microsoft Exchange servers. "When the malware was successful, the ransomware then created a ransom note on the victim's system that directed the victim to send $10,000 worth of Bitcoin to a cryptocurrency address controlled by a co-conspirator and to send proof of this payment to a Black Kingdom email address," reads another part of the announcement. The U.S. DoJ highlights that Ahmed designed Black Kingdom ransomware to exploit a vulnerability in Microsoft Exchange for initial access to targeted computers. The suspect, Rami Khaled Ahmed, is accused of deploying the Black Kingdom malware on roughly 1,500 computers in the United States and abroad, demanding ransom payments of $10,000 in Bitcoin. "According to the indictment, from March 2021 to June 2023, Ahmed and others infected computer networks of several U.S.-based victims, including a medical billing services company in Encino, a ski resort in Oregon, a school district in Pennsylvania, and a health clinic in Wisconsin," explains a U.S. Department of Justice announcement. In June 2020, it was revealed that Black Kingdom targeted CVE-2019-11510, a critical vulnerability affecting Pulse Secure VPN, to breach corporate networks and deploy their file lockers. For his Black Kingdom attacks, Ahmed now faces charges of conspiracy, intentional damage to a protected computer, and threatening damage to a protected computer. Soon, Microsoft confirmed that Black Kingdom had compromised 1,500 Exchange servers by leveraging ProxyLogon flaws.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Fri, 02 May 2025 14:35:10 +0000


Cyber News related to US indicts Black Kingdom ransomware admin for Microsoft Exchange attacks

10 Best Ransomware Protection Tools - 2025 - It protects devices from ransomware and other cyber threats using advanced threat intelligence, behavioral analysis, and cloud-based technology. It monitors and prevents ransomware assaults on personal files and automatically restores encrypted ...
3 months ago Cybersecuritynews.com
US indicts Black Kingdom ransomware admin for Microsoft Exchange attacks - This was first reported in March 2021 by researcher Marcus Hutchins, who discovered web shells deployed by Black Kingdom ransomware operators on Exchange servers vulnerable to ProxyLogon attacks. A 36-year-old Yemeni national, who is believed to ...
4 weeks ago Bleepingcomputer.com CVE-2019-11510
10 Best Ransomware File Decryptor Tools in 2025 - Kaspersky Rakhni Decryptor contains different decryption tools based on various versions of Rakhni ransomware and helps you decrypt encrypted files on your system. PyLocky Ransomware Decryption Tool is a free and open source developed and released by ...
1 month ago Cybersecuritynews.com
Microsoft: Exchange 2016 and 2019 reach end of support in six months - This week's warning comes after Microsoft reminded IT admins in January that Exchange Server 2016 and Exchange Server 2019 will no longer receive technical support starting in October. The Exchange Server Engineering Team also shared guidance for ...
1 month ago Bleepingcomputer.com
The ticking time bomb of Microsoft Exchange Server 2013 - This is, of course, a common issue since 2021 or so, due to Exchange Server security woes- however there has been an abnormally high increase in the past few months, making me think there was some kind of Exchange Server zero day perhaps. In my own ...
1 year ago Doublepulsar.com
More than $100 million in ransom paid to Black Basta gang over nearly 2 years - The Black Basta cybercrime gang has raked in at least $107 million in ransom payments since early 2022, according to research from blockchain security company Elliptic and Corvus Insurance. The group has infected more than 329 victim organizations ...
1 year ago Therecord.media FIN7 Black Basta
Black Basta ransomware made over $100 million from extortion - Russia-linked ransomware gang Black Basta has raked in at least $100 million in ransom payments from more than 90 victims since it first surfaced in April 2022, according to joint research from Corvus Insurance and Elliptic. Over 329 victims ...
1 year ago Bleepingcomputer.com Carbanak FIN7 Qilin Black Basta
The Week in Ransomware - This week was pretty quiet on the ransomware front, with most of the attention on the seizure of the BreachForums data theft forum. That does not mean there was nothing of interest released this week about ransomware. A report by CISA said that the ...
1 year ago Bleepingcomputer.com LockBit Inc ransom Black Basta
Black Basta's ransom haul tops $100M in less than 2 years - The Black Basta ransomware gang has raked in more than $100 million from victims of its double-extortion attacks since its emergence early last year, according to researchers. The haul - which included grabbing $9 million from one victim and more ...
1 year ago Packetstormsecurity.com LockBit Black Basta
Black Hat Europe 2023 Closes on Record-Breaking Event in London - PRESS RELEASE. LONDON, Dec. 20, 2023 - Black Hat, the cybersecurity industry's most established and in-depth security event series, today announced the successful completion of the in-person component of Black Hat Europe 2023. The event welcomed more ...
1 year ago Darkreading.com
Yemeni Man Charged in U.S. for Black Kingdom Ransomware Deployed on Schools & Business Networks - When the malware was successful, the ransomware then created a ransom note on the victim’s system that directed the victim to send $10,000 worth of Bitcoin to a cryptocurrency address controlled by a co-conspirator and to send proof of this payment ...
4 weeks ago Cybersecuritynews.com
Black Basta Buster Utilizes Ransomware Flaw to Recover Files - Security research and consulting firm SRLabs exploited a vulnerability in the encryption algorithm of a specific strain of Black Basta ransomware to develop and release a decryptor tool named Black Basta Buster. This tool, released in response to the ...
1 year ago Heimdalsecurity.com FIN7 Black Basta
Black Kite Unveils Monthly Ransomware Dashboards - PRESS RELEASE. Boston, MA - January 24, 2023 - Black Kite, the leader in third-party cyber risk intelligence, today unveiled the industry's first monthly ransomware dashboard, featuring crucial insights for security teams, media, analysts, and other ...
1 year ago Darkreading.com 8base LockBit Akira Werewolves
US indicts Yemeni man in Black Kingdom ransomware attacks | The Record from Recorded Future News - The U.S. Attorney's Office for the Central District of California announced charges Thursday against Rami Khaled Ahmed for allegedly helping to develop and deploy Black Kingdom, which spread to “approximately 1,500 computer systems” in the ...
4 weeks ago Therecord.media
'Black Basta Buster' Exploits Ransomware Bug for File Recovery - Researchers have exploited a weakness in a particular strain of the Black Basta ransomware to release a decryptor for the malware, but it doesn't recover all of the files encrypted by the prolific cybercriminal gang. Security research and consulting ...
1 year ago Darkreading.com FIN7 Black Basta
Hive Ransomware: A Detailed Analysis - This past week, on January 26th, to be exact, the FBI successfully shut down the Hive ransomware group and saved victims over a hundred million dollars in ransom payments and remediation costs. As ransomware continues to be a national security threat ...
2 years ago Heimdalsecurity.com LockBit
The Top 10 Ransomware Groups of 2023 - This article takes an in-depth look at the rise in ransomware attacks over the past year and the criminal groups driving the surge in cyber extortion. LockBit has established itself as one of the most notorious ransomware operations since emerging on ...
1 year ago Securityboulevard.com TA505 8base LockBit BianLian Medusa Noescape Black Basta
Toronto Public Library outages caused by Black Basta ransomware attack - The Toronto Public Library is experiencing ongoing technical outages due to a Black Basta ransomware attack. The Toronto Public Library is Canada's largest public library system, giving access to 12 million books through 100 branch libraries across ...
1 year ago Bleepingcomputer.com Carbanak FIN7 Metaencryptor Black Basta
Ransomware's Impact May Include Heart Attacks, Strokes & PTSD - First-order harms: Direct targets of ransomware attacks. The increasing convergence of IT and OT leave physical infrastructures more vulnerable to ransomware, even though most ransomware operators lack the capability to directly compromise OT or ...
1 year ago Techrepublic.com
Learn How to Decrypt Black Basta Ransomware Attack Without Paying Ransom - Researchers have created a tool designed to exploit a vulnerability in the Black Basta ransomware, allowing victims to recover their files without succumbing to ransom demands. This decryption tool potentially provides a remedy for individuals who ...
1 year ago Cysecurity.news FIN7 Black Basta
Medusa Ransomware Turning Your Files into Stone - Unit 42 Threat Intelligence analysts have noticed an escalation in Medusa ransomware activities and a shift in tactics toward extortion, characterized by the introduction in early 2023 of their dedicated leak site called the Medusa Blog. The Unit 42 ...
1 year ago Unit42.paloaltonetworks.com Medusa
Broadcom Merging Carbon Black, Symantec to Create Security Unit - Carbon Black's uncertain future following the closing of Broadcom's $69 billion acquisition of VMware in November is now settled, with the security software business merging with Symantec to form Broadcom's new Enterprise Security Group. The creation ...
1 year ago Securityboulevard.com
New Black Basta decryptor exploits ransomware flaw to recover files - Researchers have created a decryptor that exploits a flaw in Black Basta ransomware, allowing victims to recover their files for free. The decryptor allows Black Basta victims from November 2022 to this month to potentially recover their files for ...
1 year ago Bleepingcomputer.com Black Basta
Targeting homeowners' data - As these companies obtain a large amount of sensitive information from their customers, they become attractive targets for ransomware gangs to conduct double-extortion attacks. Finland is also warning of Akira ransomware increasingly targeting ...
1 year ago Bleepingcomputer.com LockBit Akira
The Week in Ransomware - An international law enforcement operation claims to have dismantled a ransomware affiliate operation in Ukraine, which was responsible for attacks on organizations in 71 countries. The threat actors are said to be affiliates of numerous ransomware ...
1 year ago Bleepingcomputer.com Qilin Cactus Black Basta