The Bl00dy Ransomware Gang

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
The Bl00dy ransomware gang, a threat actor that began operations in May 2022, is known for its malicious activities, which include exploiting vulnerabilities and using double extortion techniques against targeted organizations. This group has been observed to leverage the ScreenConnect Remote Code Execution (RCE) vulnerability, along with other groups such as Black Basta. They have also utilized payloads built using leaked Conti and LockBit Black builders. One of their most notable exploits involves the use of the LockBit ransomware builder, which has led to increased attention from U.S. government agencies. In early 2023, the Bl00dy ransomware gang escalated its activities by exploiting a remote code execution vulnerability in the PaperCut MF and NG print server software products. This vulnerability had been reported to developers in January, but the gang took advantage of it in March and April. The education facilities sub-sector was particularly impacted by these attacks. According to the FBI, the Bl00dy Ransomware Gang gained access to victim networks across this sector where vulnerable PaperCut servers were exposed to the internet. Notably, the Education Facilities subsector accounts for nearly 68% of all internet-exposed PaperCut servers, though not all are vulnerable. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued warnings about the Bl00dy ransomware gang's activities. These agencies highlighted the group's exploitation of the recently patched PaperCut vulnerability in attacks targeting organizations in the education sector. The Bl00dy Ransomware Gang's actions pose a significant threat to cybersecurity, especially within the education sector, which has been a primary target for their attacks.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Bl00dy
2
Bl00dy is a threat actor known for its malicious activities in the cyber world. The group, along with another threat actor called Black Basta, have recently been identified as exploiting bugs in ConnectWise ScreenConnect, a popular remote management tool. This exploitation has led to a significant i
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Exploit
Remote Code ...
Cybercrime
Fbi
Malware
Extortion
CISA
Papercut
Vulnerability
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Black BastaUnspecified
1
Black Basta is a notorious malware entity known for its devastating ransomware attacks. First emerging in June 2022, the group has since been associated with a series of high-profile cyber-attacks worldwide. This malware, like others, infiltrates systems through suspicious downloads, emails, or webs
LockbitUnspecified
1
LockBit is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It can enter your system through various channels such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
ContiUnspecified
1
Conti is a type of malware, specifically ransomware, known for its ability to disrupt operations, steal personal information, and hold data hostage for ransom. The malicious software infiltrates systems via suspicious downloads, emails, or websites, often unbeknownst to the user. It has been used in
Lockbit BlackUnspecified
1
LockBit Black, also known as LockBit 3.0, is a malware that emerged in early 2022, following the release of its predecessor, LockBit 2.0 (or LockBit Red) in mid-2021. This malicious software, designed to exploit and damage computer systems, encrypts files and often holds them hostage for ransom. The
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2023-27350Unspecified
1
CVE-2023-27350 is a significant software vulnerability discovered in PaperCut NG/MF, a popular print management software. This flaw in software design or implementation allows attackers to bypass authentication and execute code with system privileges, posing a serious threat to both server and inter
Source Document References
Information about the The Bl00dy Ransomware Gang Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
4 months ago
Cybercrime on Main Street – Sophos News | #cybercrime | #infosec | National Cyber Security Consulting
CERT-EU
4 months ago
Cybercrime on Main Street – Sophos News | #cybercrime | #computerhacker - Am I Hacker Proof
CERT-EU
5 months ago
The Week in Ransomware - March 1st 2024 - Healthcare under siege
CERT-EU
5 months ago
Black Basta, Bl00dy ransomware gangs join ScreenConnect attacks
CERT-EU
a year ago
Buhti Ransomware Gang Switches Tactics, Utilizes Leaked LockBit and Babuk Code
CERT-EU
a year ago
Bl00dy ransomware gang strikes education sector with PaperCut attacks
CERT-EU
a year ago
Bl00dy Ransomware Gang Strikes Education Sector with Critical PaperCut Vulnerability - GIXtools
Securityaffairs
a year ago
Bl00dy Ransomware Gang actively targets the education sector
CERT-EU
a year ago
Anomali Cyber Watch: Lancefly APT Adopts Alternatives to Phishing, BPFdoor Removed Hardcoded Indicators, FBI Ordered Russian Malware to Self-Destruct
CERT-EU
a year ago
FBI-CISA warn critical PaperCut vulnerability being exploited against education sector
CERT-EU
a year ago
SafeBreach Coverage for US-CERT Alert (AA23-131A) – Exploit CVE-2023-27350 in PaperCut MF and NG
CERT-EU
a year ago
Cyber security week in review: May 19, 2023
CERT-EU
a year ago
CISA and FBI Release Joint Advisory in Response to Active Exploitation of PaperCut Vulnerability – Cyber Security Review
CERT-EU
a year ago
Central Asian governments subjected to DownEx malware attacks
CERT-EU
a year ago
CISA, FBI: Ransomware Gang Exploited PaperCut Flaw Against Education Facilities
CERT-EU
a year ago
Staten Island Hospital operating in network downtime amid ransomware attack