Bl00dy

Threat Actor updated 5 months ago (2024-06-30T14:38:25.325Z)

Download STIX

Preview STIX

Bl00dy is a threat actor known for its malicious activities in the cyber world. The group, along with another threat actor called Black Basta, have recently been identified as exploiting bugs in ConnectWise ScreenConnect, a popular remote management tool. This exploitation has led to a significant increase in ransomware attacks, causing severe disruptions and financial losses to businesses that rely on this software. The exploitation of these recent ConnectWise ScreenConnect vulnerabilities allows the threat actors to gain unauthorized access to systems, encrypt data, and demand ransom from victims. The technique used by these groups demonstrates their ability to quickly adapt to new vulnerabilities and exploit them for their gain. This incident underscores the importance of timely patching and updating of all software components to prevent such breaches. The cybersecurity industry is actively monitoring these threat actors and working towards mitigation strategies. However, the speed and sophistication with which Bl00dy and Black Basta operate pose significant challenges. It is recommended that organizations using ConnectWise ScreenConnect apply all available patches immediately and consider additional security measures to protect against such threats.

Description last updated: 2024-06-30T13:25:33.880Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Conti is a possible alias for Bl00dy. Conti is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. Often spreading through suspicious downloads, emails, or websites, it can steal personal information, disrupt operations, or hold data hostage for ransom. Notably, Conti was linked to several ra	3
The Bl00dy Ransomware Gang is a possible alias for Bl00dy. The Bl00dy ransomware gang, a threat actor that began operations in May 2022, is known for its malicious activities, which include exploiting vulnerabilities and using double extortion techniques against targeted organizations. This group has been observed to leverage the ScreenConnect Remote Code E	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Exploit

Ransom

Papercut

Vulnerability

Fbi

Screenconnect

CISA

Source

Malware

Cobalt Strike

exploited

exploitation

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Black Basta Malware is associated with Bl00dy. Black Basta is a notorious malware group known for its sophisticated ransomware attacks, which have targeted numerous high-profile entities. The group has demonstrated a remarkable ability to adapt their tactics, techniques, and procedures (TTPs), allowing them to effectively evade security defenses	Unspecified	5
The Lockbit Malware is associated with Bl00dy. LockBit is a malicious software, or malware, known for its damaging and exploitative functions. It infiltrates systems via dubious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or hold data hostage for ransom. The LockBit	Unspecified	5
The Truebot Malware is associated with Bl00dy. Truebot is a malicious software (malware) utilized by the CL0P actors, designed to exploit and damage computer systems. This malware can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Truebot serves multiple purposes: it can dow	Unspecified	2
The Buhti Malware is associated with Bl00dy. Buhti is a malicious software, or malware, that was first highlighted by Palo Alto Networks Unit 42 in February 2023. It is a Golang ransomware targeting Linux systems. The Buhti ransomware operation was further detailed by Symantec’s Threat Hunter Team in May of the same year. Its payload included	Unspecified	2
The Hive Malware is associated with Bl00dy. Hive is a form of malware, specifically ransomware, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Hive can steal personal information, disrupt operations, or hold data hostag	Unspecified	2
The Lockbit Black Malware is associated with Bl00dy. LockBit Black, also known as LockBit 3.0, is a malicious software that emerged in early 2022 following the release of its predecessor, LockBit 2.0 (or LockBit Red) in mid-2021. The malware has been developed to exploit and damage computer systems by encrypting files, often leading to ransom demands	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Blackmatter Threat Actor is associated with Bl00dy. BlackMatter, a threat actor in the cybersecurity realm, is known for its malicious activities and has been linked to several ransomware strains. The group emerged as a successor to the DarkSide ransomware, which was responsible for the high-profile attack on the Colonial Pipeline in May 2021. Howeve	Unspecified	2
The Hunters International Threat Actor is associated with Bl00dy. Hunters International, an active threat actor group since October of the previous year, has been identified as a significant cybersecurity concern. The group has taken over and rebranded the Hive ransomware, despite their disputes about this association. This development followed the disbandment of	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2023-27350 Vulnerability is associated with Bl00dy. CVE-2023-27350 represents a significant software vulnerability in PaperCut MF/NG, identified as an improper access control flaw. This weakness allows attackers to bypass authentication processes, providing them with the ability to execute code with system privileges. The vulnerability was first upda	Unspecified	4
The CVE-2024-1709 Vulnerability is associated with Bl00dy. CVE-2024-1709 is a critical vulnerability in the ConnectWise ScreenConnect software that allows for an authentication bypass. This flaw can enable a remote non-authenticated attacker to bypass the system's authentication process and gain full access. The issue was identified by Sophos Rapid Response	Unspecified	3
The CVE-2024-1708 Vulnerability is associated with Bl00dy. CVE-2024-1708 is a high-severity path traversal vulnerability that was discovered in ConnectWise's ScreenConnect software. This flaw, which affects versions 23.9.7 and earlier, allows a remote privileged user to read arbitrary files on the system using a specially crafted HTTP request. ConnectWise d	Unspecified	2

Source Document References

Information about the Bl00dy Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	3 months ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6
Securityaffairs	4 months ago	security-affairs-malware-newsletter-round-5
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 2
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 1
Securityaffairs	5 months ago	Security Affairs newsletter Round 478 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	5 months ago	Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	5 months ago	Security Affairs newsletter Round 476 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	6 months ago	Security Affairs newsletter Round 473 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	7 months ago	Security Affairs newsletter Round 470 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	7 months ago	Security Affairs newsletter Round 469 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	7 months ago	Security Affairs newsletter Round 467 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	7 months ago	Security Affairs newsletter Round 466 by Pierluigi Paganini
Securityaffairs	8 months ago	Security Affairs newsletter Round 465 by Pierluigi Paganini
Securityaffairs	8 months ago	Security Affairs newsletter Round 464 by Pierluigi Paganini
Securityaffairs	8 months ago	Security Affairs newsletter Round 463 by Pierluigi Paganini
CERT-EU	8 months ago	GRIT Ransomware Report: February 2024 \| #ransomware \| #cybercrime \| National Cyber Security Consulting
Malwarebytes	8 months ago	Ransomware review: January 2024
CERT-EU	8 months ago	Alert: FBI Warns Of BlackCat Ransomware Healthcare Attack