Home
Blog
News in Brief: Suspect charged over ransomware attacks on healthcare, education, and more

News in Brief: Suspect charged over ransomware attacks on healthcare, education, and more

Paul Ducklin
Paul Ducklin
05/08/2025
Share this article:

The wheels of justice slowly turn

Critics may complain that it feels like “too little, too late,” but international cyberjustice can be a slow and complex matter.

After all, even criminal cases where there are ample witnesses and photographic evidence (such as traffic camera footage with drivers and vehicle tags clearly visible)․․․

․․․even cases of that sort may drag on for months or years, as the wheels of justice slowly turn.

Now imagine that cybercrime victims who are prepared to provide evidence in court are in country X, which wants to prosecute, but the alleged perpetrator is in country Y; the servers they used were in country Z; the service providers who made the various interactions possible are in countries M and N; the malware they used was written by a partner-in-crime from country P but who is now living in country Q.

With X, Y, Z, M, N, P, and Q involved, you’re probably reminded of those inscrutable and intimidating geometry problems you struggled through at school, wondering if you’d ever manage to thread the needle of proof through the myriad circles, lines and angles in the mystifying diagram on the paper in front of you.

Black Kingdom malware

Well, the US Attorney’s Office is at least having a go at a ransomware case that unfolded from 2021 to 2023, involving ransomware known as Black Kingdom that circulated in various guises from at least 2019.

This ransomware exploited various different known-but-often-left-unpatched security holes over the years, such as CVE-2019-11510 (a file-stealing security hole in a popular VPN product), and the double-barreled vulnerability CVE-2021-26855 plus CVE-2021-27065, also known by the nickname ProxyLogon (a remote code execution hole in Microsoft Exchange).

The fact that you can still read a warning about the VPN-based variant of this malware in a 2020 post on the website of the UK’s NHS (National Health Service) is a stark reminder of the wide range of victims that criminals connected with this ransomware family went after.

Indeed, a clinic and a school are explictly mentioned amongst known victims whose brushes with this ransomware are part of the evidence in the charges now being brought in the US.

News in Brief: Suspect charged over ransomware attacks on healthcare, education, and more - SolCyber

The suspect in this case is one Rami Khaled Ahmed, now 36 years old.

He’s named in the indictment, but because he apparently lives in Sanaa in Yemen, the chance of him ever appearing in a US court seems very small indeed.

But he’s been charged anyway, and that’s a start.

The indictment claims that the suspect attempted to infect 1500 potential victims in the US and elsewhere, with at least four known US victims explicitly listed in the charges: “a medical billing services company in Encino, a ski resort in Oregon, a school district in Pennsylvania, and a health clinic in Wisconsin.”

The US Attorney’s press release also notes that “the FBI is investigating this matter with assistance from the New Zealand Police,” by way of a reminder of just how globally convoluted this sort of case, even an apparently straightforward one like this, can become.

Ahmed faces three charges, each “worth” five years is prison, so he could face 15 years if he’s ever brought to trial and convicted.

What to do?

Malware attacks of this sort, which seek out and exploit well-known vulnerabilities, sidestep the need for phishing attacks or other human-on-human social engineering, and therefore don’t draw as much attention to themselves in advance.

So, in four simple words: Patch Early, Patch Often.

You’ll often hear the jocular (but not really funny) term N-day vulnerability used to describe this sort of security hole.

Remember that a zero-day is a bug that was found by attackers before a patch was available, so there were zero days that you could possibly have patched ahead of the crooks.

Understandably, zero-days attract the most media attention and often cause the most fear, although that fear generally subsides once a patch comes out.

But if you don’t apply that patch for a further N days, even though you could have, you are giving attackers what is essentially a “free pass” of N days’ duration during which the bug is still effectively a zero-day for you.

And the longer you leave it, and the larger N gets, the more widely-known the exploit becomes; the better criminals become at scanning and finding unpatched systems on the internet; and the more successful and easier-to-abuse the exploitation tools in circulation become.

Don’t be one of those people who leaves it!


If you’re struggling to stay on top of the demands of finding, fixing and monitoring all the patch-points in your business, why not sign up with SolCyber for a human-centric, human-friendly cybersecurity service that doesn’t just throw AI at the problem and then leave you to work out whether the AI’s reports-added-to-all-the-other-reports are right or wrong?

News in Brief: Suspect charged over ransomware attacks on healthcare, education, and more - SolCyber

SolCyber’s human-to-human cybersecurity will find, inform, fix, and explain the issues to you one-to-one, so you not only know what’s happened, but also how it was dealt with and why, and how you can adapt your business workflow positively to reduce the chance of it happening again.


More About Duck

Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!

Paul Ducklin
Paul Ducklin
05/08/2025
Share this article:

Table of contents:

The world doesn’t need another traditional MSSP 
or MDR or XDR.

What it requires is practicality and reason.

Related articles

Businesses don’t need more security tools; they need transparent, human-managed cybersecurity and a trusted partner who ensures nothing is hidden.

It’s time to move beyond the inadequacies of current managed services and experience true security management.
No more paying for useless bells and whistles.
No more time wasted on endless security alerts.
No more dealing with poor automated services.
No more services that only detect but don’t respond.
No more breaches caused by all of the above.

Follow us!

Subscribe

Join our newsletter to stay up to date on features and releases.

By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.

CONTACT
©
2025
SolCyber. All rights reserved
|
Made with
by
Jason Pittock

I am interested in
SolCyber XDR++™

I am interested in
SolCyber MDR++™

I am interested in
SolCyber Extended Coverage™

I am interested in
SolCyber Foundational Coverage™

I am interested in a
Free Demo

11622