Bl00dy

Threat Actor updated 4 months ago (2024-06-30T14:38:25.325Z)

Download STIX

Preview STIX

Bl00dy is a threat actor known for its malicious activities in the cyber world. The group, along with another threat actor called Black Basta, have recently been identified as exploiting bugs in ConnectWise ScreenConnect, a popular remote management tool. This exploitation has led to a significant increase in ransomware attacks, causing severe disruptions and financial losses to businesses that rely on this software. The exploitation of these recent ConnectWise ScreenConnect vulnerabilities allows the threat actors to gain unauthorized access to systems, encrypt data, and demand ransom from victims. The technique used by these groups demonstrates their ability to quickly adapt to new vulnerabilities and exploit them for their gain. This incident underscores the importance of timely patching and updating of all software components to prevent such breaches. The cybersecurity industry is actively monitoring these threat actors and working towards mitigation strategies. However, the speed and sophistication with which Bl00dy and Black Basta operate pose significant challenges. It is recommended that organizations using ConnectWise ScreenConnect apply all available patches immediately and consider additional security measures to protect against such threats.

Description last updated: 2024-06-30T13:25:33.880Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Conti is a possible alias for Bl00dy. Conti is a notorious type of malware, specifically ransomware, that infiltrates computer systems to steal data and disrupt operations. The malicious software often spreads through suspicious downloads, emails, or websites, and once inside, it can hold data hostage for ransom. The Conti ransomware op	3
The Bl00dy Ransomware Gang is a possible alias for Bl00dy. The Bl00dy ransomware gang, a threat actor that began operations in May 2022, is known for its malicious activities, which include exploiting vulnerabilities and using double extortion techniques against targeted organizations. This group has been observed to leverage the ScreenConnect Remote Code E	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Exploit

Ransom

Papercut

Vulnerability

Fbi

Screenconnect

CISA

Source

Malware

Cobalt Strike

exploited

exploitation

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Black Basta Malware is associated with Bl00dy. Black Basta is a notorious malware and ransomware group known for its high-profile attacks on various sectors. The group, also known as Storm-0506, has been active since at least early 2022 and has accumulated over $107 million in Bitcoin ransom payments. It deploys malicious software to exploit vul	Unspecified	5
The Lockbit Malware is associated with Bl00dy. LockBit is a notorious malware that operates on a ransomware-as-a-service model, which has been responsible for significant cyber attacks across the globe. One of its most high-profile targets was Boeing, from whom the LockBit gang claimed to have stolen data. This incident not only disrupted operat	Unspecified	5
The Truebot Malware is associated with Bl00dy. Truebot is a malicious software (malware) utilized by the CL0P actors, designed to exploit and damage computer systems. This malware can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Truebot serves multiple purposes: it can dow	Unspecified	2
The Buhti Malware is associated with Bl00dy. Buhti is a malicious software, or malware, that was first highlighted by Palo Alto Networks Unit 42 in February 2023. It is a Golang ransomware targeting Linux systems. The Buhti ransomware operation was further detailed by Symantec’s Threat Hunter Team in May of the same year. Its payload included	Unspecified	2
The Hive Malware is associated with Bl00dy. Hive is a malicious software (malware) known for its ransomware capabilities, which has been highly active in numerous countries, including the US. This malware infects systems often through suspicious downloads, emails, or websites, disrupting operations and stealing personal information. Notably,	Unspecified	2
The Lockbit Black Malware is associated with Bl00dy. LockBit Black, also known as LockBit 3.0, is a malicious software that emerged in early 2022 following the release of its predecessor, LockBit 2.0 (or LockBit Red) in mid-2021. The malware has been developed to exploit and damage computer systems by encrypting files, often leading to ransom demands	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Blackmatter Threat Actor is associated with Bl00dy. BlackMatter is a recognized threat actor in the cybersecurity industry, notorious for its malicious activities and the execution of ransomware attacks. The group initially operated as DarkSide, responsible for the high-profile Colonial Pipeline attack in May 2021, which led to significant attention	Unspecified	2
The Hunters International Threat Actor is associated with Bl00dy. Hunters International is a threat actor group believed to be based in Russia, which has gained prominence in the cybersecurity landscape due to its malicious activities. The group is known for executing sophisticated ransomware attacks, leveraging a tool identified as SharpRhino to gain persistence	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2023-27350 Vulnerability is associated with Bl00dy. CVE-2023-27350 represents a significant software vulnerability in PaperCut MF/NG, identified as an improper access control flaw. This weakness allows attackers to bypass authentication processes, providing them with the ability to execute code with system privileges. The vulnerability was first upda	Unspecified	4
The CVE-2024-1709 Vulnerability is associated with Bl00dy. CVE-2024-1709 is a critical vulnerability in the ConnectWise ScreenConnect software that allows for an authentication bypass. This flaw can enable a remote non-authenticated attacker to bypass the system's authentication process and gain full access. The issue was identified by Sophos Rapid Response	Unspecified	3
The CVE-2024-1708 Vulnerability is associated with Bl00dy. CVE-2024-1708 is a high-severity path traversal vulnerability that was discovered in ConnectWise's ScreenConnect software. This flaw, which affects versions 23.9.7 and earlier, allows a remote privileged user to read arbitrary files on the system using a specially crafted HTTP request. ConnectWise d	Unspecified	2

Source Document References

Information about the Bl00dy Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	2 months ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6
Securityaffairs	2 months ago	security-affairs-malware-newsletter-round-5
Securityaffairs	3 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	3 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	3 months ago	Security Affairs Malware Newsletter - Round 2
Securityaffairs	3 months ago	Security Affairs Malware Newsletter - Round 1
Securityaffairs	4 months ago	Security Affairs newsletter Round 478 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	4 months ago	Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	4 months ago	Security Affairs newsletter Round 476 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	5 months ago	Security Affairs newsletter Round 473 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	5 months ago	Security Affairs newsletter Round 470 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	6 months ago	Security Affairs newsletter Round 469 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	6 months ago	Security Affairs newsletter Round 467 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	6 months ago	Security Affairs newsletter Round 466 by Pierluigi Paganini
Securityaffairs	7 months ago	Security Affairs newsletter Round 465 by Pierluigi Paganini
Securityaffairs	7 months ago	Security Affairs newsletter Round 464 by Pierluigi Paganini
Securityaffairs	7 months ago	Security Affairs newsletter Round 463 by Pierluigi Paganini
CERT-EU	7 months ago	GRIT Ransomware Report: February 2024 \| #ransomware \| #cybercrime \| National Cyber Security Consulting
Malwarebytes	7 months ago	Ransomware review: January 2024
CERT-EU	7 months ago	Alert: FBI Warns Of BlackCat Ransomware Healthcare Attack