Bl00dy

Threat Actor Profile Updated a month ago
Download STIX
Preview STIX
Bl00dy is a threat actor known for its malicious activities in the cyber world. The group, along with another threat actor called Black Basta, have recently been identified as exploiting bugs in ConnectWise ScreenConnect, a popular remote management tool. This exploitation has led to a significant increase in ransomware attacks, causing severe disruptions and financial losses to businesses that rely on this software. The exploitation of these recent ConnectWise ScreenConnect vulnerabilities allows the threat actors to gain unauthorized access to systems, encrypt data, and demand ransom from victims. The technique used by these groups demonstrates their ability to quickly adapt to new vulnerabilities and exploit them for their gain. This incident underscores the importance of timely patching and updating of all software components to prevent such breaches. The cybersecurity industry is actively monitoring these threat actors and working towards mitigation strategies. However, the speed and sophistication with which Bl00dy and Black Basta operate pose significant challenges. It is recommended that organizations using ConnectWise ScreenConnect apply all available patches immediately and consider additional security measures to protect against such threats.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Conti
3
Conti is a type of malware, specifically ransomware, known for its ability to disrupt operations, steal personal information, and hold data hostage for ransom. The malicious software infiltrates systems via suspicious downloads, emails, or websites, often unbeknownst to the user. It has been used in
The Bl00dy Ransomware Gang
2
The Bl00dy ransomware gang, a threat actor that began operations in May 2022, is known for its malicious activities, which include exploiting vulnerabilities and using double extortion techniques against targeted organizations. This group has been observed to leverage the ScreenConnect Remote Code E
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Ransom
Exploit
Vulnerability
Fbi
Screenconnect
Papercut
exploited
Malware
Cobalt Strike
CISA
Source
exploitation
ConnectWise
Extortion
Encrypt
Ransomware P...
Remote Code ...
Encryption
State Sponso...
Remote Code ...
Rmm
Cybercrime
Remote-Code ...
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
LockbitUnspecified
5
LockBit is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It can enter your system through various channels such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
Black BastaUnspecified
5
Black Basta is a notorious malware entity known for its devastating ransomware attacks. First emerging in June 2022, the group has since been associated with a series of high-profile cyber-attacks worldwide. This malware, like others, infiltrates systems through suspicious downloads, emails, or webs
BuhtiUnspecified
2
Buhti is a malicious software, or malware, that was first highlighted by Palo Alto Networks Unit 42 in February 2023. It is a Golang ransomware targeting Linux systems. The Buhti ransomware operation was further detailed by Symantec’s Threat Hunter Team in May of the same year. Its payload included
HiveUnspecified
2
Hive is a malicious software, or malware, that infiltrates systems to exploit and damage them. This malware has been associated with Volt Typhoon, who exfiltrated NTDS.dit and SYSTEM registry hive to crack passwords offline. The Hive operation was primarily involved in port scanning, credential thef
TruebotUnspecified
2
Truebot is a highly potent malware used by the threat actor group CL0P, which has been linked to various malicious activities aimed at exploiting and damaging computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once embedded,
Lockbit BlackUnspecified
2
LockBit Black, also known as LockBit 3.0, is a malware that emerged in early 2022, following the release of its predecessor, LockBit 2.0 (or LockBit Red) in mid-2021. This malicious software, designed to exploit and damage computer systems, encrypts files and often holds them hostage for ransom. The
DiceloaderUnspecified
1
Diceloader is a type of malware, short for malicious software, that is designed to infiltrate and damage computer systems. It can infect systems through various means such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can steal personal in
BlackbastaUnspecified
1
BlackBasta is a malicious software (malware) known for its disruptive and damaging effects on computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even ho
XwormUnspecified
1
XWorm is a multi-functional malware that provides threat actors with remote access capabilities, has the potential to spread across networks, exfiltrate sensitive data, and download additional payloads. It was observed exploiting ScreenConnect vulnerabilities, a client software used for remote syste
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
BlackmatterUnspecified
2
BlackMatter is a recognized threat actor in the cybersecurity industry, notorious for its malicious activities and the execution of ransomware attacks. The group initially operated as DarkSide, responsible for the high-profile Colonial Pipeline attack in May 2021, which led to significant attention
Hunters InternationalUnspecified
2
Hunters International, a threat actor group in the cybersecurity realm, has recently gained notoriety for its malicious activities. The group is believed to have taken over Hive Ransomware, a notorious malware used for cyberattacks, after Hive's takedown in 2023. Despite disputes from Hunters Intern
Lazarus GroupUnspecified
1
The Lazarus Group, a notorious threat actor believed to be linked to North Korea, has been attributed with a series of significant cyber-attacks over the past few years. The group's malicious activities include the exploitation of digital infrastructure, stealing cryptocurrency, and executing large-
FrankensteinUnspecified
1
Frankenstein, also known as TA402, Molerats, and Gaza Cybergang, is a threat actor identified by Proofpoint researchers. Active for over a decade, this Middle Eastern advanced persistent threat (APT) group has historically operated in the interests of the Palestinian Territories. In mid-2023, Franke
Apt43Unspecified
1
APT43, also known as Kimsuky, is a North Korean state-sponsored advanced persistent threat (APT) group that has been actively involved in cybercrime and espionage. The group has been implicated in a series of attacks exploiting vulnerabilities, which have drawn the attention of various cybersecurity
KimsukyUnspecified
1
Kimsuky is a North Korea-linked advanced persistent threat (APT) group that conducts global cyber-attacks to gather intelligence for the North Korean government. The group has been identified as a significant threat actor, executing actions with malicious intent, and has recently targeted victims vi
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2023-27350Unspecified
4
CVE-2023-27350 is a significant software vulnerability discovered in PaperCut NG/MF, a popular print management software. This flaw in software design or implementation allows attackers to bypass authentication and execute code with system privileges, posing a serious threat to both server and inter
CVE-2024-1709Unspecified
3
CVE-2024-1709 is a critical vulnerability in the ConnectWise ScreenConnect software that allows for an authentication bypass. This flaw can enable a remote non-authenticated attacker to bypass the system's authentication process and gain full access. The issue was identified by Sophos Rapid Response
CVE-2024-1708Unspecified
2
CVE-2024-1708 is a high-severity software vulnerability found in ConnectWise's ScreenConnect software, specifically targeting versions 23.9.7 and earlier. The flaw was officially disclosed by ConnectWise on February 19, 2024. This vulnerability, alongside another (CVE-2024-1709), presents significan
Source Document References
Information about the Bl00dy Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
5 days ago
Security Affairs Malware Newsletter - Round 3
Securityaffairs
5 days ago
Security Affairs Malware Newsletter - Round 3
Securityaffairs
12 days ago
Security Affairs Malware Newsletter - Round 2
Securityaffairs
19 days ago
Security Affairs Malware Newsletter - Round 1
Securityaffairs
a month ago
Security Affairs newsletter Round 478 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
a month ago
Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
a month ago
Security Affairs newsletter Round 476 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
2 months ago
Security Affairs newsletter Round 473 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
3 months ago
Security Affairs newsletter Round 470 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
3 months ago
Security Affairs newsletter Round 469 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
3 months ago
Security Affairs newsletter Round 467 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
4 months ago
Security Affairs newsletter Round 466 by Pierluigi Paganini
Securityaffairs
4 months ago
Security Affairs newsletter Round 465 by Pierluigi Paganini
Securityaffairs
4 months ago
Security Affairs newsletter Round 464 by Pierluigi Paganini
Securityaffairs
4 months ago
Security Affairs newsletter Round 463 by Pierluigi Paganini
CERT-EU
4 months ago
GRIT Ransomware Report: February 2024 | #ransomware | #cybercrime | National Cyber Security Consulting
Malwarebytes
4 months ago
Ransomware review: January 2024
CERT-EU
5 months ago
Alert: FBI Warns Of BlackCat Ransomware Healthcare Attack
Securityaffairs
5 months ago
Security Affairs newsletter Round 462 by Pierluigi Paganini
CERT-EU
5 months ago
ConnectWise ScreenConnect Subdomain Listed as IoC in CISA's BlackCat Ransomware Advisory