Bl00dy Ransomware targets

FBI: Bl00dy Ransomware targets education orgs in PaperCut attacks

Date: 16 May 2023

Threat Actor

  • Bl00dy ransomware

  • Muddywater


The PaperCut flaw is tracked as CVE-2023-27350 and is a critical-severity remote code execution (RCE) weakness impacting PaperCut MF and PaperCut NG, printing management software used by roughly 70,000 organizations in over 100 countries. The vulnerability has been under active exploitation since at least April 18, 2023, about a month after its public disclosure in March.

While the vulnerability was fixed in PaperCut NG and MF versions 20.1.7, 21.2.11, and 22.0.9, organizations have been slow to install the update, allowing exposure to attacks. Microsoft also reported earlier this week that Iranian hacking groups, including the state-sponsored 'Muddywater', have joined the exploitation of CVE-2023-27350 to bypass user authentication and achieve remote execution on their targets. Unfortunately, the availability of proof-of-concept (PoC) exploits for the PaperCut flaw, some of which are less detected, raises the risk for organizations even more.

The Bl00dy ransomware attacks observed recently were successful, leveraging CVE-2023-27350 to bypass user authentication and access the server as administrators. This access was then used to spawn new 'cmd.exe' and 'powershell.exe' processes with the same high privileges to gain remote access to the device and use it as a launchpad to spread laterally through the network. During this time, the ransomware actors steal data and encrypt the target systems, leaving notes demanding payment in exchange for a working decryptor and the promise not to publish or sell the stolen data.


Last updated