The Bl00dy Ransomware Gang

Threat Actor updated 4 months ago (2024-05-04T20:59:26.478Z)

Download STIX

Preview STIX

The Bl00dy ransomware gang, a threat actor that began operations in May 2022, is known for its malicious activities, which include exploiting vulnerabilities and using double extortion techniques against targeted organizations. This group has been observed to leverage the ScreenConnect Remote Code Execution (RCE) vulnerability, along with other groups such as Black Basta. They have also utilized payloads built using leaked Conti and LockBit Black builders. One of their most notable exploits involves the use of the LockBit ransomware builder, which has led to increased attention from U.S. government agencies. In early 2023, the Bl00dy ransomware gang escalated its activities by exploiting a remote code execution vulnerability in the PaperCut MF and NG print server software products. This vulnerability had been reported to developers in January, but the gang took advantage of it in March and April. The education facilities sub-sector was particularly impacted by these attacks. According to the FBI, the Bl00dy Ransomware Gang gained access to victim networks across this sector where vulnerable PaperCut servers were exposed to the internet. Notably, the Education Facilities subsector accounts for nearly 68% of all internet-exposed PaperCut servers, though not all are vulnerable. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued warnings about the Bl00dy ransomware gang's activities. These agencies highlighted the group's exploitation of the recently patched PaperCut vulnerability in attacks targeting organizations in the education sector. The Bl00dy Ransomware Gang's actions pose a significant threat to cybersecurity, especially within the education sector, which has been a primary target for their attacks.

Description last updated: 2024-05-04T19:26:57.023Z

What's your take? (Question 1 of 1)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Bl00dy	2	Bl00dy is a threat actor known for its malicious activities in the cyber world. The group, along with another threat actor called Black Basta, have recently been identified as exploiting bugs in ConnectWise ScreenConnect, a popular remote management tool. This exploitation has led to a significant i

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the The Bl00dy Ransomware Gang Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	6 months ago	Cybercrime on Main Street – Sophos News \| #cybercrime \| #infosec \| National Cyber Security Consulting
CERT-EU	6 months ago	Cybercrime on Main Street – Sophos News \| #cybercrime \| #computerhacker - Am I Hacker Proof
CERT-EU	6 months ago	The Week in Ransomware - March 1st 2024 - Healthcare under siege
CERT-EU	6 months ago	Black Basta, Bl00dy ransomware gangs join ScreenConnect attacks
CERT-EU	a year ago	Buhti Ransomware Gang Switches Tactics, Utilizes Leaked LockBit and Babuk Code
CERT-EU	a year ago	Bl00dy ransomware gang strikes education sector with PaperCut attacks
CERT-EU	a year ago	Bl00dy Ransomware Gang Strikes Education Sector with Critical PaperCut Vulnerability - GIXtools
Securityaffairs	a year ago	Bl00dy Ransomware Gang actively targets the education sector
CERT-EU	a year ago	Anomali Cyber Watch: Lancefly APT Adopts Alternatives to Phishing, BPFdoor Removed Hardcoded Indicators, FBI Ordered Russian Malware to Self-Destruct
CERT-EU	a year ago	FBI-CISA warn critical PaperCut vulnerability being exploited against education sector
CERT-EU	a year ago	SafeBreach Coverage for US-CERT Alert (AA23-131A) – Exploit CVE-2023-27350 in PaperCut MF and NG
CERT-EU	a year ago	Cyber security week in review: May 19, 2023
CERT-EU	a year ago	CISA and FBI Release Joint Advisory in Response to Active Exploitation of PaperCut Vulnerability – Cyber Security Review
CERT-EU	a year ago	Central Asian governments subjected to DownEx malware attacks
CERT-EU	a year ago	CISA, FBI: Ransomware Gang Exploited PaperCut Flaw Against Education Facilities
CERT-EU	a year ago	Staten Island Hospital operating in network downtime amid ransomware attack