Bl00Dy

Bl00dy is a ransomware-as-a-service (RaaS) operation that emerged in 2022 and is described in the provided content as a Conti spin-off or offshoot of the Russian-speaking Conti ransomware group. The group has targeted healthcare and education organizations, primarily in the United States. In early May 2023, according to FBI and CISA reporting cited in the content, the Bl00dy Ransomware Gang exploited the PaperCut MF/NG vulnerability CVE-2023-27350 to gain initial access to internet-exposed vulnerable PaperCut servers, particularly in the U.S. Education Facilities Subsector. Reported intrusions included data exfiltration and file encryption, with ransom notes demanding payment for decryption. The advisory associated with this activity also noted use of PaperCut print scripting and User/Group Sync functionality for code execution and living-off-the-land style activity, and identified follow-on tooling including DiceLoader, TrueBot, Cobalt Strike Beacon, and revsocks. The content also states that Bl00dy used open-source and leaked builders from other operators, including LockBit, Babuk, and Conti, rather than developing its own tooling. TRM Labs reporting in the content links confirmed Bl00dy victim payment addresses and laundering infrastructure to non-VPN IP addresses geolocated to Ghana, while leaked RAMP forum data reportedly contained an email address in which a Bl00dy-linked actor advertised their location as North Africa. Known alias in the provided content: Bl00dy.