Bl00dy Ransomware Gang actively targets the education sector exploiting PaperCut RCE

Pierluigi Paganini May 12, 2023

U.S. CISA and FBI warned of attacks conducted by the Bl00dy Ransomware Gang against the education sector in the country.

The FBI and CISA issued a joint advisory warning that the Bl00dy Ransomware group is actively targeting the education sector by exploiting the PaperCut remote-code execution vulnerability CVE-2023-27350.

The Bl00dy ransomware has been active since May 2022, it has been the first group that started using the leaked LockBit ransomware builder in attacks in the wild.

According to the FBI, threat actors started exploiting the CVE-2023-27350 flaw in mid-April 2023 and the attacks are still ongoing. The attacks against the Education Facilities Subsector started in early May.

The report states that the gang is targeting the Education Facilities Subsector entities because they maintained approximately 68% of exposed, but not necessarily vulnerable, U.S.-based PaperCut servers.

As a result of some of these attacks, threat actors exfiltrated data of the victim systems and demanded the payment of a ransom for the decryption of encrypted files.

Bl00dy Ransomware Gang

“According to FBI information, legitimate remote management and maintenance (RMM) software was downloaded and executed on victim systems via commands issued through PaperCut’s print scripting interface. External network communications through Tor and/or other proxies from inside victim networks helped Bl00dy Gang ransomware actors mask their malicious network traffic.” reads the joint alert. “The FBI also identified information relating to the download and execution of command and control (C2) malware such as DiceLoader, TrueBot, and Cobalt Strike Beacons, although it is unclear at which stage in the attack these tools were executed.”

The US agencies recommend network defenders focus detection efforts on network traffic signatures, system monitoring, and server settings and log files.

The report also provided Indicators of Compromise (IoCs) for this threat.

We are in the final!

Please vote for Security Affairs ( as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini

Please nominate Security Affairs as your favorite blog.

Nominate Pierluigi Paganini and Security Affairs here here:

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

you might also like

leave a comment