The Bl00dy Ransomware Gang

The Bl00dy ransomware gang, a threat actor that began operations in May 2022, is known for its malicious activities, which include exploiting vulnerabilities and using double extortion techniques against targeted organizations. This group has been observed to leverage the ScreenConnect Remote Code Execution (RCE) vulnerability, along with other groups such as Black Basta. They have also utilized payloads built using leaked Conti and LockBit Black builders. One of their most notable exploits involves the use of the LockBit ransomware builder, which has led to increased attention from U.S. government agencies. In early 2023, the Bl00dy ransomware gang escalated its activities by exploiting a remote code execution vulnerability in the PaperCut MF and NG print server software products. This vulnerability had been reported to developers in January, but the gang took advantage of it in March and April. The education facilities sub-sector was particularly impacted by these attacks. According to the FBI, the Bl00dy Ransomware Gang gained access to victim networks across this sector where vulnerable PaperCut servers were exposed to the internet. Notably, the Education Facilities subsector accounts for nearly 68% of all internet-exposed PaperCut servers, though not all are vulnerable. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued warnings about the Bl00dy ransomware gang's activities. These agencies highlighted the group's exploitation of the recently patched PaperCut vulnerability in attacks targeting organizations in the education sector. The Bl00dy Ransomware Gang's actions pose a significant threat to cybersecurity, especially within the education sector, which has been a primary target for their attacks.