The Bl00dy ransomware group has claimed its first victim in India, demanding $90,000 in ransom. The group, which previously targeted universities and colleges in the US, demonstrated administrative access to the compromised Indian institute through Remote Desktop Protocol (RDP). Screenshots shared by the group showcased the presence of PaperCut MF/NG print management software on the victim’s machine.
According to Cyble Research & Intelligence Labs (CRIL), the Bl00dy ransomware group claimed to compromise an India-based institute offering various undergraduate and graduate courses on May 28, 2023. The group posted multiple screenshots as proof of compromise, demonstrating administrative access to the organization via RDP. Open-source research suggests that ports 9191 and 3389 are open, and instances of the compromised organization are publicly exposed. The publicly available Proof of Concept (POC) of the PaperCut NG vulnerability demonstrates that port 9191 is targeted when leveraging the vulnerability. Therefore, it is highly likely that the Bl00dy ransomware group leveraged the PaperCut vulnerability to establish an initial network connection.
Among the screenshots shared by the group were images demonstrating access to the organization’s Active Directory, with control over 10,014 systems assigned to students. Additionally, the screenshots revealed access to servers such as Moodle, helpdesk, dummy web, and ERP servers, containing a total of 16.4 GB of data. The dummy web server alone held 87.8 GB of data, including multiple records and backup files. The compromised staff folder contained records and names, potentially belonging to the university’s staff.
Bl00dy Ransomware Group emerged in August 2022 and has been using Telegram and Twitter to post details about their victims. The group has transitioned from its original C/C++ coded payload to the leaked builder of LOCKBIT 3.0, and subsequently, a new builder based on leaked Conti source code. In recent months, the group has targeted several education institutions in the US, revealing their names publicly and leaking negotiation chat screenshots and data samples to pressure them into paying the ransom.
The vulnerabilities exploited by the Bl00dy Ransomware Group, including the critical flaw CVE-2023-27350 in PaperCut NG, warned a joint cybersecurity advisory by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA). The advisory highlights the active exploitation of this vulnerability by the ransomware group. Open-source research indicates that over 1,000 instances of the vulnerability are still publicly exposed, making organizations susceptible to attacks by ransomware and Advanced Persistent Threat (APT) groups.
“In early May 2023, according to FBI information, the Bl00dy Ransomware Gang gained access to victim networks across the Education Facilities Subsector where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the internet,” said the CISA-FBI security advisory. Several US-based colleges and schools, which were targeted by the Bl00dy Ransomware Group in May 2023, continue to have unpatched vulnerabilities.
“The group has claimed to have targeted at least six colleges/schools from the start of May. Not stopping there, the ransomware group also leaked negotiation chat screenshots with their victim entities and data samples to pressurize them to pay the ransom.”
The FBI and CISA recommended keeping software, firmware, and applications updated with the latest patches and implementing proper network segmentation to prevent lateral movement. They also advised organizations to secure critical assets behind properly configured and updated firewalls and implement restrictions on network access to vulnerable servers.