Bl00dy Ransomware Claims First Indian Victim Via PaperCut Vulnerability

Bl00dy ransomware group, known for exploiting vulnerabilities in the PaperCut NG software, has personal its first victim in India, taxing a ransom of $90,000.

The group, which previously targeted universities and colleges in the US, demonstrated legalistic wangle to the compromised Indian institute through Remote Desktop Protocol (RDP).

Screenshots shared by the group showcased the presence of PaperCut MF/NG print management software on the victim’s machine.

On May 28, 2023, the Bl00dy ransomware group personal to compromise an India-based institute offering various undergraduate and graduate courses, said a report by the Cyble Research & Intelligence Labs (CRIL).

The group posted multiple screenshots as proof of compromise, demonstrating legalistic wangle to the organization via RDP.

Bl00dy ransomware
Screenshot of PaperCut software shared by the ransomware group. CRIL

Bl00dy ransomware, PaperCut vulnerability, and India

Open-source research suggests that ports 9191 and 3389 are open, and instances of the compromised organization are publicly exposed, said the CRIL report.

The publicly misogynist POC of the PaperCut NG vulnerability demonstrates that port 9191 is targeted when leveraging the vulnerability. Therefore, it is highly likely that the Bl00dy ransomware group leveraged the PaperCut vulnerability to establish an initial network connection.

The group posted a ransom note, taxing the payment of $90,000 in mart for decrypting the compromised data.

Bl00dy ransomware
Screenshot of the organizations Zippy Directory. CRIL

Among the screenshots shared by the group were images demonstrating wangle to the organization’s Zippy Directory, with tenancy over 10,014 systems prescribed to students.

Additionally, the screenshots revealed wangle to servers such as Moodle, helpdesk, dummy web, and ERP servers, containing a total of 16.4 GB of data. The dummy web server vacated held 87.8 GB of data, including multiple records and replacement files.

The compromised staff folder contained records and names, potentially belonging to the university’s staff.

Bl00dy ransomware: Emergence and execution

Bl00dy Ransomware Group emerged in August 2022 and has been using Telegram and Twitter to post details well-nigh their victims.

The group has transitioned from its original C/C coded payload to the leaked builder of LOCKBIT 3.0, and subsequently, a new builder based on leaked Conti source code.

Bl00dy ransomware
Exposed instances wideness the world. CRIL

In recent months, the group has targeted several education institutions in the US, revealing their names publicly and leaking negotiation yack screenshots and data samples to pressure them into paying the ransom.

The vulnerabilities venal by the Bl00dy Ransomware Group, including the hair-trigger flaw CVE-2023-27350 in PaperCut NG, warned a joint cybersecurity advisory by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA).

The newsy highlights the zippy exploitation of this vulnerability by the ransomware group. Open-source research indicates that over 1,000 instances of the vulnerability are still publicly exposed, making organizations susceptible to attacks by ransomware and Advanced Persistent Threat (APT) groups.

Cyble Vision

Papercut vulnerability and the education sector

“In early May 2023, equal to FBI information, the Bl00dy Ransomware Gang gained wangle to victim networks wideness the Education Facilities Subsector where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the internet,” said the CISA-FBI security advisory.

Several US-based colleges and schools, which were targeted by the Bl00dy Ransomware Group in May 2023, protract to have unpatched vulnerabilities.

On April 29, 2023, the Bl00dy ransomware group personal to have attacked several education institutes in the US on their social media handle. Subsequently, from May 1, 2023, they started revealing the names of these institutions to name-shame them, the CRIL report said.

The group has personal to have targeted at least six colleges/schools from the start of May. Not stopping there, the ransomware group moreover leaked negotiation yack screenshots with their victim entities and data samples to pressurize them to pay the ransom.

The FBI and CISA recommended keeping software, firmware, and applications updated with the latest patches and implementing proper network segmentation to prevent lateral movement.