US Indicts Black Kingdom Ransomware Admin for Microsoft Exchange Attacks

Summary:
The U.S. Department of Justice has indicted Rami Khaled Ahmed, a 36-year-old Yemeni national, for developing and operating the 'Black Kingdom' ransomware, which was used in approximately 1,500 cyberattacks on vulnerable Microsoft Exchange servers in the U.S. and internationally. According to court documents, Ahmed operated the ransomware campaign between March 2021 and June 2023, targeting a range of organizations including a medical billing services provider in Encino, California, a ski resort in Oregon, a school district in Pennsylvania, and a health clinic in Wisconsin. The ransomware encrypted victims’ files and left a ransom note demanding $10,000 in Bitcoin to a wallet controlled by a co-conspirator, instructing victims to send proof of payment to a Black Kingdom email address.


The Black Kingdom ransomware gained initial access to systems by exploiting ProxyLogon, a set of critical zero-day vulnerabilities in Microsoft Exchange Servers disclosed in early 2021. The flaws, CVE-2021-26855 (a server-side request forgery used for initial access), CVE-2021-26857 (insecure deserialization for SYSTEM privilege escalation), and CVE-2021-26858 and CVE-2021-27065 (arbitrary file writes for deploying web shells) allowed attackers to compromise servers without user interaction. Security researcher Marcus Hutchins was among the first to observe Black Kingdom actors using these vulnerabilities to deploy web shells across compromised Exchange environments. Microsoft later confirmed that the malware was used to compromise at least 1,500 servers globally.


Ahmed is now charged with conspiracy to commit intentional damage to protected computers and making threats in connection with those damages. Each count carries a maximum penalty of five years in federal prison, totaling up to 15 years if convicted. The indictment also suggests that Ahmed operated with accomplices and maintained infrastructure for managing payments and payloads. U.S. authorities believe he is currently residing in Yemen, posing challenges for extradition.


Security Officer Comments:
In addition to Exchange-based attacks, Ahmed and the Black Kingdom group were found to have previously exploited CVE-2019-11510, a critical path traversal flaw in Pulse Secure VPN, allowing attackers to steal credentials and gain unauthorized access to enterprise networks to deploy ransomware. This broader targeting strategy underscores Ahmed’s role in adapting and expanding Black Kingdom’s capabilities to exploit high-profile vulnerabilities across widely-used enterprise platforms.


Link(s):
https://www.bleepingcomputer.com/ne...somware-admin-for-microsoft-exchange-attacks/