15 May 2023

Bl00dy ransomware gang strikes education sector with PaperCut attacks


Bl00dy ransomware gang strikes education sector with PaperCut attacks

The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have warned that the Bl00dy ransomware gang is using a recently patched PaperCut vulnerability in attacks targeting organizations in the education sector.

Tracked as CVE-2023–27350, the flaw allows a remote hacker to bypass authentication process and execute arbitrary code with SYSTEM privileges. The issue affects PaperCut MF and NG versions 8.0 and later. It was addressed by the vendor in March 2023 with the release of PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11, and 22.0.9.

Threat actors, including Clop ransomware operators and Iranian government-backed hacker groups, have been targeting vulnerable PaperCut servers since mid-April this year.

“In early May 2023, according to FBI information, the Bl00dy Ransomware Gang gained access to victim networks across the Education Facilities Subsector where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the internet,” the two agencies said, noting that the Education Facilities subsector is responsible for nearly 68% of PaperCut internet-exposed servers, although not all of the servers are vulnerable.

In some cases, the Bl00dy ransomware attacks led to data theft and encryption of victim systems.

“According to FBI information, legitimate remote management and maintenance (RMM) software was downloaded and executed on victim systems via commands issued through PaperCut’s print scripting interface. External network communications through Tor and/or other proxies from inside victim networks helped Bl00dy Gang ransomware actors mask their malicious network traffic,” the joint security advisory said.

“The FBI also identified information relating to the download and execution of command and control (C2) malware such as DiceLoader, TrueBot, and Cobalt Strike Beacons, although it is unclear at which stage in the attack these tools were executed.”

The Bl00dy ransomware gang began operating around May 2022 and have since targeted organizations using double extortion techniques. The ransomware encrypts files on the victim’s machine and appends the extension of encrypted files as “.bl00dy.” Later, a ransom note is created on the system to demand payment.

Interestingly, the group uses Telegram for publishing stolen data instead of Onion/Tor data leak sites commonly observed in ransomware operations.

Bl00dy ransomware is said to have targeted many well-known organizations across a number of industry sectors such as Consumer Goods, Healthcare, Professional Services, IT and ITES, etc.


Back to the list

Latest Posts

Rockstar 2FA phishing-as-a-service targets Microsoft 365 users with AiTM attacks

Rockstar 2FA phishing-as-a-service targets Microsoft 365 users with AiTM attacks

Rockstar 2FA appears to be an updated version of the DadSec (also known as Phoenix) phishing kit.
2 December 2024
Phishing campaign targeting tax professionals in Ukraine with Litemanager malware

Phishing campaign targeting tax professionals in Ukraine with Litemanager malware

CERT-UA attributes the activity to the financially motivated group UAC-0050.
2 December 2024
Hackers steal $17M from Uganda's central bank

Hackers steal $17M from Uganda's central bank

The attackers breached the central bank’s IT systems earlier this month and transferred the funds to various accounts.
2 December 2024