Bl00dy Ransomware Gang
| Actor Type | Criminal Group |
|---|
The Bl00dy Ransomware Gang emerged around May 2022 and employs double extortion tactics against targeted organizations. Unlike traditional data leak sites, they utilize a Telegram channel to publish stolen data. Their encryptor is based on the leaked LockBit source code, and they have also been observed using encryptors from leaked source codes of Babuk and Conti ransomware strains.
They have been observed exploiting vulnerabilities in multiple products to gain access to target networks, including CVE-2023-27350 in PaperCut MF and NG and CVE-2024-1709 and CVE-2024-1708 in ConnectWise ScreenConnect.
Cyber Threat Graph Context
Explore how this Intrusion Set relates to the wider threat graph
Bl00dy Ransomware Gang Threat Reports
Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
This blog post gives a detailed analysis of two critical vulnerabilities (CVE-2024-1708 and CVE-2024-1709) affecting ConnectWise ScreenConnect ...
References
www.cisa.gov
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131awww.trendmicro.com
https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.htmlwww.bleepingcomputer.com
https://www.bleepingcomputer.com/news/security/leaked-lockbit-30-builder-used-by-bl00dy-ransomware-gang-in-attacks/talion.net
https://talion.net/blog/that-bl00dy-new-ransomware-strain/MITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use by this intrusion set.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1059.001 | PowerShell | Execution |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
| T1486 | Data Encrypted for Impact | Impact |
| T1105 | Ingress Tool Transfer | Command and Control |
| T1482 | Domain Trust Discovery | Discovery |
| T1219 | Remote Access Software | Command and Control |
| T1562 | Impair Defenses | Defense Evasion |
| T1087 | Account Discovery | Discovery |
| T1190 | Exploit Public-Facing Application | Initial Access |