Threat Research

Cyble – Bl00dy – New Ransomware Strain Active In The Wild

Securonix

Bl00dy is a newly discovered ransomware strain that uses double extortion and leaks victim data via Telegram rather than hidden Tor channels. It encrypts files with CryptoAPI, renames them with a .bl00dy extension, drops ransom notes, and propagates laterally over networks while threatening public disclosure if fees aren’t paid. Hashtags: #Bl00dy #Telegram #Cyble #WMIC #NetShareEnum #CryptoAPI

Keypoints

  • Bl00dy targets multiple sectors with several known victims (6+ across Consumer Goods, Healthcare, Professional Services, IT/ITES).
  • Threat actors leak victim data via Telegram channels instead of Onion/Tor-based portals.
  • The malware uses a mutex to ensure only a single instance runs on a host.
  • Encryption is performed with Microsoft CryptoAPI (CryptEncrypt/CryptGenRandom/CryptImportKey), and files are renamed with the .bl00dy extension.
  • Ransom notes are dropped in multiple folders (e.g., “warning!!!! Readme bl00dy Gang.txt”).
  • Discovery, file encryption, and propagation rely on Windows APIs (GetLogicalDriveStringsW, FindFirstFileW/FindNextFileW, MoveFileW, NetShareEnum) and WMIC/shadow copy deletion to hinder recovery.
  • The attackers use Telegram to publish leaked data and threaten public release if the ransom is not paid.

MITRE Techniques

  • [T1059.003] Windows Command Shell – The ransomware runs a command line to delete shadow copies using WMIC: “cmd.exe /c C:WindowsSystem32wbemWMIC.exe shadowcopy where ‘ID=’ {29A0A02F-1E9E-4A50-93C4-1D938C11D8A3} delete”
  • [T1047] Windows Management Instrumentation – The malware uses WMIC to perform system actions as part of defense evasion and impact operations: “WMIC.exe shadowcopy …”
  • [T1027] Obfuscated/Encrypted Files or Information – The code uses a decryption loop to resolve mutexes and strings: “a small decryption loop shown in Figure 3 … resolve DLL names, API functions, and other important strings.”
  • [T1486] Data Encrypted for Impact – Encryption of files using CryptoAPI libraries and API calls like CryptEncrypt() with keys from CryptImportKey and random bytes from CryptGenRandom().
  • [T1083] File and Directory Discovery – The malware searches for targets by enumerating files/directories with FindFirstFileW() and FindNextFileW().
  • [T1082] System Information Discovery – GetLogicalDriveStringsW() is used to enumerate available system drives.
  • [T1135] Network Share Discovery – The ransomware spreads to other machines on the same network via NetShareEnum().
  • [T1490] Inhibit System Recovery – Shadow copy deletion is performed to hinder recovery efforts: “shadowcopy where ‘ID=’ … delete”

Indicators of Compromise

  • [Hash] MD5 – 8d27d0c897ce21f1036bf659fc663cf2 – Bl00dy Ransomware exe
  • [Hash] SHA1 – afe3d0fb48092aeca4dcd3989a076e87fdbe69b2 – Bl00dy Ransomware exe
  • [Hash] SHA256 – 139a8bb2c5537190e747d2f651b423147018fd9a9a21bb36281d4ce1c61727c1 – Bl00dy Ransomware exe
  • [Filename] warning!!!! Readme bl00dy Gang.txt – Ransom note file
  • [Extension] .bl00dy – Encrypted file extension

Read more: https://blog.cyble.com/2022/09/28/bl00dy-new-ransomware-strain-active-in-the-wild/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint