Bl00dy ransomware group, known for exploiting vulnerabilities in the PaperCut NG software, has claimed its first victim in India, demanding a ransom of $90,000.
The group, which previously targeted universities and colleges in the US, demonstrated administrative access to the compromised Indian institute through Remote Desktop Protocol (RDP).
Screenshots shared by the group showcased the presence of PaperCut MF/NG print management software on the victim’s machine.
“On May 28, 2023, the Bl00dy ransomware group claimed to compromise an India-based institute offering various undergraduate and graduate courses,” said a report by the Cyble Research & Intelligence Labs (CRIL).
The group posted multiple screenshots as proof of compromise, demonstrating administrative access to the organization via RDP.
Bl00dy ransomware, PaperCut vulnerability, and India
“Open-source research suggests that ports 9191 and 3389 are open, and instances of the compromised organization are publicly exposed,” said the CRIL report.
“The publicly available POC of the PaperCut NG vulnerability demonstrates that port 9191 is targeted when leveraging the vulnerability. Therefore, it is highly likely that the Bl00dy ransomware group leveraged the PaperCut vulnerability to establish an initial network connection.”
The group posted a ransom note, demanding the payment of $90,000 in exchange for decrypting the compromised data.
Among the screenshots shared by the group were images demonstrating access to the organization’s Active Directory, with control over 10,014 systems assigned to students.
Additionally, the screenshots revealed access to servers such as Moodle, helpdesk, dummy web, and ERP servers, containing a total of 16.4 GB of data. The dummy web server alone held 87.8 GB of data, including multiple records and backup files.
The compromised staff folder contained records and names, potentially belonging to the university’s staff.
Bl00dy ransomware: Emergence and execution
Bl00dy Ransomware Group emerged in August 2022 and has been using Telegram and Twitter to post details about their victims.
The group has transitioned from its original C/C++ coded payload to the leaked builder of LOCKBIT 3.0, and subsequently, a new builder based on leaked Conti source code.
In recent months, the group has targeted several education institutions in the US, revealing their names publicly and leaking negotiation chat screenshots and data samples to pressure them into paying the ransom.
The vulnerabilities exploited by the Bl00dy Ransomware Group, including the critical flaw CVE-2023-27350 in PaperCut NG, warned a joint cybersecurity advisory by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA).
The advisory highlights the active exploitation of this vulnerability by the ransomware group. Open-source research indicates that over 1,000 instances of the vulnerability are still publicly exposed, making organizations susceptible to attacks by ransomware and Advanced Persistent Threat (APT) groups.
Papercut vulnerability and the education sector
“In early May 2023, according to FBI information, the Bl00dy Ransomware Gang gained access to victim networks across the Education Facilities Subsector where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the internet,” said the CISA-FBI security advisory.
Several US-based colleges and schools, which were targeted by the Bl00dy Ransomware Group in May 2023, continue to have unpatched vulnerabilities.
“On April 29, 2023, the Bl00dy ransomware group claimed to have attacked several education institutes in the US on their social media handle. Subsequently, from May 1, 2023, they started revealing the names of these institutions to name-shame them,” the CRIL report said.
“The group has claimed to have targeted at least six colleges/schools from the start of May. Not stopping there, the ransomware group also leaked negotiation chat screenshots with their victim entities and data samples to pressurize them to pay the ransom.”
The FBI and CISA recommended keeping software, firmware, and applications updated with the latest patches and implementing proper network segmentation to prevent lateral movement.
They also advised organizations to secure critical assets behind properly configured and updated firewalls and implement restrictions on network access to vulnerable servers.