Threat Actor Leaking Victim Details Via Telegram
Ransomware is one of the most serious cybersecurity threats and possibly the most effective form of cybercrime that plagues organizations today. It has quickly become one of the most prominent and profitable types of malware for cybercriminals.
“Bl00dy” is a new ransomware strain targeting organizations using double extortion techniques. The ransomware encrypts files on the victim’s machine and appends the extension of encrypted files as “.bl00dy.” Later, a ransom note is created on the system to demand payment.
This ransomware uses Telegram to post the compromised organization’s information instead of using Onion/Tor sites. As per Telegram channel data, the ransomware gang created a Telegram account at the end of July 2022 and began publishing leaked victim data in August 2022.
The below figure shows the message posted by Bl00dy Ransomware Gang Threat Actors.
As per statistics from Cyble Threat intelligence platform, Bl00dy ransomware has targeted many well-known organizations (6 known victims so far) across several industry sectors such as Consumer Goods, Healthcare, Professional Services, IT & ITES, etc.
In the figure below, we have prepared a breakdown of the industries targeted by the Bl00dy ransomware Gang.
Technical Details
We have taken the below sample hash for the purposes of this analysis:
(SHA256), 139a8bb2c5537190e747d2f651b423147018fd9a9a21bb36281d4ce1c61727c1,
which is a GUI-based x32 bit executable written in Microsoft Visual C/C++ compiler.
Upon execution, the ransomware initially resolves the mutex name by using a small decryption loop shown in Figure 3. The malware uses a similar decryption loop throughout the file to resolve DLL names, API functions, and other important strings.
After resolving the mutex string, the ransomware creates a mutex to ensure that only one instance of malware is running on the victim’s system at any given time. The malware exits if the mutex is already present. The below figure shows the created mutex name.
The ransomware then creates multiple threads using the CreateThread() API to perform several tasks in parallel for faster file encryption, such as getting valid system drives, enumerating files/folders to encrypt files, discovering network shares, etc.
The below figure shows the malware using the GetLogicalDriveStringsW() API to get the available valid system drives in the victim’s machine.
Next, the malware drops a ransom note in multiple folders with the file name “warning!!!! Readme bl00dy Gang.txt”. The contents of the ransom note are shown below.
After dropping the ransom note, the malware searches files and directories for encryption by enumerating them using the FindFirstFileW() and FindNextFileW() API functions.
The ransomware excludes the below file extensions and file/folder names from encryption.
| File extension | .exe, .dll, .sys, .msi, .lnk |
| File names | Bootmgr, DumpStack.log.tmp, pagefile.sys, swapfile.sys |
| Folder names | Windows, System Volume Information, $Recycle.Bin, Temp |
The ransomware uses “Microsoft Enhanced RSA and AES Cryptographic Provider” libraries to perform the encryption on the victim machine. For encryption, the malware uses some of the functions from CryptoAPI such as CryptAcquireContextA(), CryptImportKey(), CryptGenRandom() and CryptEncrypt().
The figure below shows the malware encrypting data using the CryptEncrypt() API function with random bytes being generated using CryptGenRandom() and the key obtained from the CryptImportKey() function.
The figure below shows the code snippet of the encryption loop and the original & infected file content before and after encryption.
In the next step, the malware renames the encrypted files with the “.bl00dy” extension using the lstrcatW() API and replaces them with the original file using the MoveFileW() API function, as shown below.
The below figure shows the files encrypted by Bl00dy ransomware after the successful infection of a victim’s machine.
Once the victim’s system is infected, the ransomware spreads to other machines on the same network, using the API function NetShareEnum(), as shown below.
Additionally, the ransomware uses the following command line to run the WMI query, which deletes the shadow copy using “Win32_ShadowCopy.ID“:
- cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where “ID=” {29A0A02F-1E9E-4A50-93C4-1D938C11D8A3}” delete
In the dropped ransom note, victims are given instructions on how they can contact the Bl00dy Ransomware Gang for ransom negotiations.
Additionally, the TAs behind Bl00dy ransomware threaten victims stating that they have penetrated their organization’s network and downloaded all important files. They also mention that they will publish the stolen information to the public if the ransom is not paid.
The ransom note also has the Telegram link where TAs publish the compromised company’s private data.
The figure below shows the TA’s leaked information as “Telegram hall of shame,” which includes screenshot proofs of the attack, compromised company details, links to download organization data, screenshots of ransom negotiations with the organization, etc.
Conclusion
Bl00dy is a newly discovered ransomware family operated by TAs who continue to breach organizations and demand significant ransom amounts. The TAs also perform double extortion attacks by stealing an organization’s files and leaking them via their Telegram channel if the ransom is not paid.
Ransomware is becoming an increasingly common and effective attack method to target organizations, adversely impacting their productivity, finances, and brand reputation. Organizations need to stay ahead of the techniques used by TAs besides implementing the requisite security best practices and security controls.
Cyble Research & Intelligence Labs (CRIL) continuously monitors new ransomware campaigns to keep our readers updated with our latest findings.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
Safety Measures Needed to Prevent Ransomware Attacks
- Conduct regular backup practices and keep those backups offline or in a separate network.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
Users Should Take the Following Steps After the Ransomware Attack
- Detach infected devices on the same network.
- Disconnect external storage devices if connected.
- Inspect system logs for suspicious events.
Impact and Cruciality of Bl00dy Ransomware
- Loss of valuable data.
- Loss of the organization’s reputation and integrity.
- Loss of the organization’s sensitive business information.
- Disruption in organization operation.
- Financial loss.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Execution | T1204 T1059 T1047 | User Execution Command and Scripting Interpreter Windows Management Instrumentation |
| Defense Evasion | T1027 T1045 | Obfuscated Files or Information Software Packing |
| Discovery | T1082 T1083 T1057 T1046 | System Information Discovery File and Directory Discovery Process Discovery Network Service Discovery |
| Impact | T1486 | Data Encrypted for Impact |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 8d27d0c897ce21f1036bf659fc663cf2 afe3d0fb48092aeca4dcd3989a076e87fdbe69b2 139a8bb2c5537190e747d2f651b423147018fd9a9a21bb36281d4ce1c61727c1 | MD5 SHA1 Sha256 | Bl00dy Ransomware exe |
