The U.S. Department of Justice (DoJ) on Thursday announced charges against a 36-year-old Yemeni national for allegedly deploying the Black Kingdom ransomware against global targets, including businesses, schools, and hospitals in the United States.
Rami Khaled Ahmed of Sana’a, Yemen, has been charged with one count of conspiracy, one count of intentional damage to a protected computer, and one count of threatening damage to a protected computer. Ahmed is assessed to be currently living in Yemen.
“From March 2021 to June 2023, Ahmed and others infected computer networks of several U.S.-based victims, including a medical billing services company in Encino, a ski resort in Oregon, a school district in Pennsylvania, and a health clinic in Wisconsin,” the DoJ said in a statement.
Ahmed is accused of developing and deploying the ransomware by exploiting a vulnerability in Microsoft Exchange Server known as ProxyLogon.
The ransomware worked by either encrypting data from victims’ computer networks or claiming to steal that information from the networks. Post encryption, the ransomware dropped a ransom note on the system and directed the victim to send $10,000 worth of Bitcoin to a cryptocurrency address controlled by a co-conspirator.
Victims were also allegedly asked to send proof of the payment to a Black Kingdom email address. The ransomware is estimated to have been delivered on about 1,500 computer systems in the U.S. and elsewhere.
Also tracked under the name Pydomer, the ransomware family has been previously linked to attacks taking advantage of Pulse Secure VPN vulnerabilities (CVE-2019-11510), Microsoft revealed in late March 2021, noting that it was the first existing ransomware family to capitalize on the ProxyLogon flaws.
Cybersecurity vendor Sophos described the Black Kingdom as “somewhat rudimentary and amateurish in its composition,” with the attackers leveraging the ProxyLogon vulnerability to deploy web shells, which were then used to issue PowerShell commands to download the ransomware.
It also said the activity bears all the hallmarks of a “motivated script-kiddie.” Then later that August, a Nigerian threat actor was observed attempting to recruit employees by offering them to pay $1 million in Bitcoin to deploy Black Kingdom ransomware on companies’ networks as part of an insider threat scheme.
If convicted, Ahmed faces a maximum sentence of five years in federal prison for each count. The case is being investigated by the U.S. Federal Bureau of Investigation (FBI) with assistance from the New Zealand Police.
The charges come amid a raft of announcements from U.S. government authorities against various criminal activities –
- The DoJ unsealed an indictment charging Ukrainian citizen Artem Stryzhak with attacking companies using Nefilim ransomware since becoming an affiliate in June 2021. He was arrested in Spain in June 2024 and extradited to the United States on April 30, 2025. If convicted of the charge, Stryzhak faces up to five years’ imprisonment.
- Tyler Robert Buchanan, a British national suspected of being a member of the notorious Scattered Spider cybercrime group, was extradited from Spain to the United States to face charges related to wire fraud and aggravated identity theft. Buchanan was arrested in Spain in June 2024. Charges against him and other Scattered Spider members were announced by the US in November 2024.
- Leonidas Varagiannis (aka War), 21, and Prasan Nepal (aka Trippy), 20, the two alleged leaders of a child extortion group 764 have been arrested and charged with directing and distributing child sexual abuse material (CSAM). The two men are accused of exploiting at least eight minor victims.
- Richard Anthony Reyna Densmore, another member of 764, was sentenced to 30 years in the U.S. in November 2024 for sexually exploiting a child. Members of 764 are affiliated with The Com, a disparate collection of loosely associated groups that commit financially motivated, sexual, and violent crimes. It also includes Scattered Spider.
- The U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) designated Cambodia-based conglomerate HuiOne Group as an “institution of primary money laundering concern” for Southeast Asian transnational cybercrime gangs by facilitating romance baiting scams and for serving as a critical node for laundering proceeds of cyber heists carried out by the Democratic People’s Republic of Korea (DPRK). HuiOne Pay’s banking license was revoked in March 2025 by the National Bank of Cambodia.
Ransomware Attacks Surge as Payoffs Dwindle
The developments come as ransomware continues to be an enduring threat, albeit increasingly fragmented and volatile, as sustained law enforcement actions are causing major shifts in observed tactics. This includes the growing frequency of encryption-less attacks and the trend of cybercriminals moving away from traditional hierarchical groups in favor of a lone-wolf approach.
“Ransomware operations are becoming increasingly decentralized, with a growing number of former affiliates choosing to operate independently rather than remain tied to established groups,” Halcyon said.
“This shift is being driven by several factors, including increased law enforcement coordination, successful takedowns of major ransomware infrastructure, and a broader push by actors to avoid attribution through brand rotation or unbranded campaigns.”
Data compiled by Verizon shows that 44% of all analyzed breaches in 2024 involved the use of a ransomware strain, up from 32% in 2023. But there is good news: More victims than ever are refusing to pay ransoms and fewer organizations are willing to pay the ransom demanded.
“For the calendar year 2024, the median ransom paid comes up as $115,000, which is a decrease from $150,000 in the previous year,” Verizon said in its 2025 Data Breach Investigations Report (DBIR). “64% of the victim organizations did not pay the ransoms, which was up from 50% two years ago.”
According to Coveware, the average ransom payment for the first quarter of 2025 was $552,777, a 0.2% decrease from the previous quarter. The media ransom payment, in contrast, climbed 80% by $200,000.
“The rate of companies that opted to pay a ransom, either to procure decryption keys or to suppress a threat actor from posting the breached data on their leak site, rose slightly in Q1 2025,” the company said.
The ransomware payment resolution rate for the period has been tallied at 27%, down from 85% in Q1 2019, 73% in Q1 2020, 56% in Q1 2021, 46% in Q1 2022, 45% in Q1 2023, and 28% in Q1 2024.
“While attacks are assuredly still occurring and new groups continue to spin up each month, the well-oiled ransomware machine that early RaaS groups built is plagued with complications that seem unlikely to resolve,” it added.
Despite these setbacks, ransomware shows no sign of stopping anytime soon, with Q1 2025 witnessing 2,289 reported incidents, a 126% increase compared to Q1 2024, per Check Point. Ransomware attacks, however, have witnessed a 32% drop month-over-month in March 2025, with a total of 600 claimed incidents.
North America and Europe accounted for more than 80% of the cases. Consumer goods and services, business services, industrial manufacturing, healthcare, and construction and engineering were the sectors the most targeted by ransomware.
“Ransomware incident volumes are reaching unprecedented levels,” Dr. Darren Williams, Founder and CEO of BlackFog, said. “This presents ongoing challenges for organisations dealing with attackers focused on disruption, data theft, and extortion. Different groups will emerge and disband, but they all focus on the same end goal, data exfiltration.”
