Bl00Dy
Bl00dy is a ransomware family/group referenced as operating as part of the ransomware-as-a-service ecosystem and advertised on the RAMP cybercrime forum by July 2023. Reporting in the provided content states the Bl00Dy ransomware group began operating in May 2022 and used a Telegram channel to advertise leaked data. The group reportedly did not develop its own tooling and instead relied on open-source and leaked builders from other ransomware operations, including LockBit, Babuk, and Conti; from September 2022 it used the LockBit builder in attacks. Bl00dy has been described as an offshoot of the Russian-speaking Conti ransomware group.
In early May 2023, according to FBI/CISA reporting, the Bl00dy Ransomware Gang gained access to victim networks by exploiting internet-exposed PaperCut MF/NG servers vulnerable to CVE-2023-27350, an authentication bypass leading to remote code execution. The activity particularly targeted the U.S. Education Facilities Subsector, and some intrusions resulted in data exfiltration and encryption of victim systems, with ransom notes demanding payment for decryption. Microsoft also linked FIN7 to PaperCut-targeting attacks associated with deployment of Clop, Bl00dy, and LockBit ransomware.
The PaperCut-related intrusions described in the content involved abuse of the SetupCompleted Java class and PaperCut features such as print scripting and User/Group Sync to achieve code execution, often with SYSTEM- or root-level privileges via pc-app.exe. Associated post-exploitation and delivery artifacts observed in this activity included DiceLoader, TrueBot, Cobalt Strike Beacon, and revsocks/socks.exe. High-confidence indicators mentioned in the content include malicious domains anydeskupdate.com, anydeskupdates.com, netviewremote.com, updateservicecenter.com, windowcsupdates.com, windowservicecemter.com, windowservicecentar.com, windowservicecenter.com, and winserverupdates.com; and files socks.exe (SHA-256: 6bb160ebdc59395882ff322e67e000a22a5c54ac777b6b1f10f1fef381df9c15), ld.txt / TrueBot (SHA-256: c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125), and update.dll / Cobalt Strike Beacon (SHA-256: 0ce7c6369c024d497851a482e011ef1528ad270e83995d52213276edbe71403f). TRM Labs also linked money-laundering infrastructure in Ghana to the Bl00dy ransomware group.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
In early May 2023, according to FBI information, the Bl00dy Ransomware Gang gained access to victim networks across the Education Facilities Subsector where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the internet. Ultimately, some of these operations led to data exfiltration and encryption of victim systems.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
In early May 2023, according to FBI information, the Bl00dy Ransomware Gang gained access to victim networks across the Education Facilities Subsector where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the internet. Ultimately, some of these operations led to data exfiltration and encryption of victim systems.
...attacks targeting PaperCut printing servers with Clop, Bl00dy, and LockBit ransomware.
Techniques & procedures
2 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique"FIN7 was also linked to attacks targeting PaperCut printing servers with Clop, Bl00dy, and LockBit ransomware."
Impact
1 techniqueRAMP hosted 60 threads in its dedicated RaaS section, where ransomware operators recruit affiliates... We identified 14 distinct RaaS programs: AvosLocker, Conti, Luna, BEAST, Nevada, CryptNet, Knight 3.0, NoEscape, Bl00dy, KUIPER, UBUD, PHOBOS, Zeppelin2, Wing 1.0.
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A ransomware-as-a-service program advertised on RAMP.
Bl00dy is a ransomware group, considered an offshoot of the Conti ransomware group, involved in money laundering and ransomware operations.
Bl00dy is a ransomware group, considered an offshoot of the Conti ransomware group, involved in money laundering and ransomware operations.
Ransomware operation described as relying on leaked/open-source builders (notably LockBit) rather than developing its own tooling; used Telegram for victim data-leak advertising.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.