Bl00dy

Threat Actor Profile Updated 3 days ago
Download STIX
Preview STIX
Bl00dy is a notable threat actor in the cybersecurity landscape, known for its malicious activities aimed at exploiting vulnerabilities and executing ransomware attacks. Recently, this entity has been identified as one of the key players exploiting the recent bugs found in ConnectWise ScreenConnect, a popular remote support software. Bl00dy, along with Black Basta and other ransomware gangs, have leveraged these vulnerabilities to gain unauthorized access and control over servers, posing significant security risks. The exploitation of the ConnectWise ScreenConnect vulnerabilities by Bl00dy and Black Basta came to light last month. In addition to these groups, the North Korean Advanced Persistent Threat group, APT43, also known as Kimsuky, was identified as another exploiter of the vulnerability. Notably, Bl00dy has been reported to use the leaked LockBit ransomware encryptor in their attacks, further escalating the potential damage caused by their intrusions. These recent events underscore the urgent need for robust cybersecurity measures and prompt patching of software vulnerabilities. The exploitation of the ConnectWise ScreenConnect bugs by threat actors such as Bl00dy and Black Basta has exposed numerous servers to potential control by attackers, thereby raising alarms about the security of data and systems. As such, it's crucial for organizations to stay vigilant, regularly update their software, and implement comprehensive cybersecurity strategies to mitigate such threats.
What's your take? (Question 1 of 5)
009c513c-464e-4528-b87b-607d942a01c0 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Conti
3
Conti is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them, often stealing personal information or disrupting operations. This malicious software has been used in conjunction with other forms of malware such as Trickbot, BazarLoader, IcedID, and Cobalt S
The Bl00dy Ransomware Gang
2
The Bl00dy ransomware gang, a threat actor that began operations in May 2022, is known for its malicious activities, which include exploiting vulnerabilities and using double extortion techniques against targeted organizations. This group has been observed to leverage the ScreenConnect Remote Code E
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Exploit
Ransom
Screenconnect
Fbi
Vulnerability
Papercut
Malware
Cobalt Strike
CISA
exploited
exploitation
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
LockbitUnspecified
5
LockBit is a malicious software, or malware, that has been significantly active in recent years. It is designed to infiltrate systems and cause significant damage by stealing sensitive information, disrupting operations, and holding data hostage for ransom. In 2023, security firm Rapid7 named LockBi
Black BastaUnspecified
5
Black Basta is a malicious software (malware) known for its disruptive activities in the cyber world. This Russian-speaking ransomware-as-a-service group has been operational since early 2022, with an estimated accumulation of at least $107 million in Bitcoin ransom payments. The malware primarily i
BuhtiUnspecified
2
Buhti is a malicious software, or malware, that was first highlighted by Palo Alto Networks Unit 42 in February 2023. It is a Golang ransomware targeting Linux systems. The Buhti ransomware operation was further detailed by Symantec’s Threat Hunter Team in May of the same year. Its payload included
HiveUnspecified
2
Hive is a malicious software, or malware, known for its disruptive capabilities and widespread damage. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data h
Lockbit BlackUnspecified
2
LockBit Black, also known as LockBit 3.0, is a malware that emerged in early 2022 as the third version of the LockBit group's ransomware. The developer has consistently worked to improve this malicious software, with the previous version, LockBit 2.0 (also known as LockBit Red), being released in mi
TruebotUnspecified
2
Truebot is a highly potent malware used by the threat actor group CL0P, which has been linked to various malicious activities aimed at exploiting and damaging computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once embedded,
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
BlackmatterUnspecified
2
BlackMatter, a threat actor known for its malicious activities in the cybersecurity landscape, emerged as a variant of the notorious "DarkSide" ransomware. In May 2021, after launching an attack on Colonial Pipeline, the group rebranded itself from DarkSide to BlackMatter. However, due to increased
Hunters InternationalUnspecified
2
Hunters International, a threat actor group in the cybersecurity realm, has recently gained notoriety for its malicious activities. The group is believed to have taken over Hive Ransomware, a notorious malware used for cyberattacks, after Hive's takedown in 2023. Despite disputes from Hunters Intern
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2023-27350Unspecified
4
CVE-2023-27350 is a significant software vulnerability discovered in PaperCut NG/MF, a popular print management software. This flaw in software design or implementation allows attackers to bypass authentication and execute code with system privileges, posing a serious threat to both server and inter
CVE-2024-1709Unspecified
3
CVE-2024-1709 is a critical vulnerability in the ConnectWise ScreenConnect software that allows for an authentication bypass. This flaw can enable a remote non-authenticated attacker to bypass the system's authentication process and gain full access. The issue was identified by Sophos Rapid Response
CVE-2024-1708Unspecified
2
CVE-2024-1708 is a high-severity software vulnerability found in ConnectWise's ScreenConnect software, specifically targeting versions 23.9.7 and earlier. The flaw was officially disclosed by ConnectWise on February 19, 2024. This vulnerability, alongside another (CVE-2024-1709), presents significan
Source Document References
Information about the Bl00dy Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
Bl00dy ransomware gang strikes education sector with PaperCut attacks
Securityaffairs
a year ago
Bl00dy Ransomware Gang actively targets the education sector
Trend Micro
3 months ago
Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
InfoSecurity-magazine
a year ago
PaperCut Software Flaw Sparks Ransomware Attacks, CISA Warns
CERT-EU
3 months ago
Ransomware Gangs Seen Exploiting ScreenConnect Vulnerability
Securityaffairs
3 months ago
Black Basta and Bl00dy ransomware gangs exploit recent ConnectWise ScreenConnect bugs
CERT-EU
3 months ago
The Week in Ransomware - March 1st 2024 - Healthcare under siege
CERT-EU
a year ago
Anomali Cyber Watch: Lancefly APT Adopts Alternatives to Phishing, BPFdoor Removed Hardcoded Indicators, FBI Ordered Russian Malware to Self-Destruct
CERT-EU
a year ago
Bl00dy Ransomware Gang Strikes Education Sector with Critical PaperCut Vulnerability - GIXtools
CERT-EU
3 months ago
Black Basta, Bl00dy ransomware gangs join ScreenConnect attacks
CERT-EU
a year ago
SafeBreach Coverage for US-CERT Alert (AA23-131A) – Exploit CVE-2023-27350 in PaperCut MF and NG
CERT-EU
a year ago
Buhti Ransomware Gang Switches Tactics, Utilizes Leaked LockBit and Babuk Code
CERT-EU
a year ago
FBI-CISA warn critical PaperCut vulnerability being exploited against education sector
CERT-EU
9 months ago
Leaked LockBit 3.0 ransomware builder used by multiple actors
Securityaffairs
a month ago
Security Affairs newsletter Round 469 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
3 days ago
Security Affairs newsletter Round 473 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
3 months ago
Security Affairs newsletter Round 461 by Pierluigi Paganini
Securelist
6 months ago
Kaspersky malware report for Q3 2023
Securityaffairs
2 months ago
Security Affairs newsletter Round 466 by Pierluigi Paganini
CERT-EU
a year ago
Cyber security week in review: May 19, 2023