Three people stand united, holding cyber crime icons.

Bl00dy Ransomware Threat – FBI And CISA Warn Of PaperCut Risk To Education 

Bl00dy ransomware has been frequently exploiting a serious vulnerability in PaperCut servers, and the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint advisory warning that educational institutions are being particularly at risk by criminal individuals. 

The critical vulnerability allows unauthenticated remote code execution (RCE) and is rated an amazing 9.8 out of 10 by the Common Vulnerability Scoring System (CVSS). 

According to security advisory

In early May 2023, according to FBI information, the Bl00dy Ransomware Gang gained access to victim networks across the Education Facilities Subsector where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the internet. Ultimately, some of these operations led to data exfiltration and encryption of victim systems.

The PaperCut vulnerability, CVE-2023-27350, is a critical-severity remote code execution (RCE) flaw that affects both PaperCut MF and PaperCut NG. Additionally, nearly 70,000 enterprises in over 100 countries use these print management software solutions. 

PaperCut released an update in March 2023. However, the FBI reports that it has been detected being used by a group operating by the name of the Bl00dy Ransomware group for attacks starting in mid-April and continuing right up to this exact present. 

PaperCut NG and MF versions 20.1.7, 21.2.11, and 22.0.9 provide fixes for the issue, although companies have been a little slow to deploy them, leaving themselves vulnerable to attacks. 

The Iranian hacker organisation “Muddywater” has been using CVE-2023-27350, according to information released by Microsoft earlier this week. The risks for businesses are increasing due to the increasing number of less known proof-of-concept (PoC) exploits for this PaperCut vulnerability. 

The consequences of Bl00dy Ransomware on Schools 

Approximately 68% of PaperCut servers that are accessible over the internet are the responsibility of the Education Facilities subsector, according to CISA. 

However, the exact number of vulnerable endpoints that are unpatched therefore remains unknown. By using CVE-2023-27350 to bypass user authentication and acquire administrator access to the system. The recent Bl00dy attack

has been successful against several business targets.

The access was then used to create new versions of “cmd.exe” and “powershell.exe” with comparable advanced privileges. This made it possible to access the device remotely and use it as a jumping off point for horizontal network propagation.  

The ransomware attackers steal data while also encrypting the targeted systems. They then leave notes asking money in exchange for a working decryptor and a promise not to share or sell the stolen material. The group also tried to avoid discovery by operating inside the target networks and using Tor to communicate with outside networks, successfully masking their malicious network activity. 

Ransom note from recent Bl00dy attack
A ransomware note from recent Bl00dy attack

The Bl00dy ransomware campaign was launched in May 2022, and instead of developing their own malware, the attackers chose to use an encryptor that was taken from the LockBit source code that had been stolen. They have also been seen using encryptors created from Babuk and Conti source code that has leaked.

According to Zach Hanley, chief attack engineer at, state, local, and educational institutions in the United Kingdom are regularly targeted by ransomware due to historical vulnerabilities in security and an attraction for helping with ransom demands.

The CISA advisory provides thorough details on network traffic patterns, subordinate processes, and signs of penetration discovered on targeted servers that should be constantly watched in order to help organisations prevent such attacks. Applying the available security upgrades to PaperCut MF and NG servers is still the advised course of action, since doing so will completely fix any vulnerabilities that criminal actors have been using to their advantage. 

Successful ransomware attacks are most often preceded by phishing emails. Help your colleagues keep a security-first mindset and boost your human firewall by starting your Phishing Tackle security awareness training today with our two-week free trial

Recent posts