Bl00dy – New Ransomware Strain Active in the Wild

Threat Actor Leaking Victim Details Via Telegram

Ransomware is one of the most serious cybersecurity threats and possibly the most effective form of cybercrime that plagues organizations today. It has quickly become one of the most prominent and profitable types of malware for cybercriminals.

“Bl00dy” is a new ransomware strain targeting organizations using double extortion techniques. The ransomware encrypts files on the victim’s machine and appends the extension of encrypted files as “.bl00dy.” Later, a ransom note is created on the system to demand payment.

This ransomware uses Telegram to post the compromised organization’s information instead of using Onion/Tor sites. As per Telegram channel data, the ransomware gang created a Telegram account at the end of July 2022 and began publishing leaked victim data in August 2022.

The below figure shows the message posted by Bl00dy Ransomware Gang Threat Actors.

Figure 1 – TA’s messages on the Telegram channel

As per statistics from Cyble Threat intelligence platform, Bl00dy ransomware has targeted many well-known organizations (6 known victims so far) across several industry sectors such as Consumer Goods, Healthcare, Professional Services, IT & ITES, etc.

In the figure below, we have prepared a breakdown of the industries targeted by the Bl00dy ransomware Gang.

Figure 2 – Industries Targeted by the Bl00dy Ransomware

Technical Details

We have taken the below sample hash for the purposes of this analysis:

(SHA256), 139a8bb2c5537190e747d2f651b423147018fd9a9a21bb36281d4ce1c61727c1,

which is a GUI-based x32 bit executable written in Microsoft Visual C/C++ compiler.

Upon execution, the ransomware initially resolves the mutex name by using a small decryption loop shown in Figure 3. The malware uses a similar decryption loop throughout the file to resolve DLL names, API functions, and other important strings.

Figure 3 – Decryption code to resolve Mutex string

After resolving the mutex string, the ransomware creates a mutex to ensure that only one instance of malware is running on the victim’s system at any given time. The malware exits if the mutex is already present. The below figure shows the created mutex name.

Figure 4 – Mutex Creation

The ransomware then creates multiple threads using the CreateThread() API to perform several tasks in parallel for faster file encryption, such as getting valid system drives, enumerating files/folders to encrypt files, discovering network shares, etc.

The below figure shows the malware using the GetLogicalDriveStringsW() API to get the available valid system drives in the victim’s machine.

Figure 5 – GetLogicalDriveStringsW() API

Next, the malware drops a ransom note in multiple folders with the file name “warning!!!! Readme bl00dy Gang.txt”. The contents of the ransom note are shown below.

Figure 6 – Malware Writing Ransom Notes

After dropping the ransom note, the malware searches files and directories for encryption by enumerating them using the FindFirstFileW() and FindNextFileW() API functions.

The ransomware excludes the below file extensions and file/folder names from encryption.

File extension.exe, .dll, .sys, .msi, .lnk
File namesBootmgr, DumpStack.log.tmp, pagefile.sys, swapfile.sys
Folder namesWindows, System Volume Information, $Recycle.Bin, Temp

The ransomware uses “Microsoft Enhanced RSA and AES Cryptographic Provider” libraries to perform the encryption on the victim machine. For encryption, the malware uses some of the functions from CryptoAPI such as CryptAcquireContextA(), CryptImportKey(), CryptGenRandom() and CryptEncrypt().

The figure below shows the malware encrypting data using the CryptEncrypt() API function with random bytes being generated using CryptGenRandom() and the key obtained from the CryptImportKey() function.

Figure 7 – CryptEncrypt() API

The figure below shows the code snippet of the encryption loop and the original & infected file content before and after encryption.

Figure 8 – Encryption loop and original/encrypted file content

In the next step, the malware renames the encrypted files with the “.bl00dy” extension using the lstrcatW() API and replaces them with the original file using the MoveFileW() API function, as shown below.

Figure 9 – MoveFileW() API

The below figure shows the files encrypted by Bl00dy ransomware after the successful infection of a victim’s machine.

Figure 10 – Files encrypted by Bl00dy Ransomware

Once the victim’s system is infected, the ransomware spreads to other machines on the same network, using the API function NetShareEnum(), as shown below.

Figure 11 – NetShareEnum() API

Additionally, the ransomware uses the following command line to run the WMI query, which deletes the shadow copy using Win32_ShadowCopy.ID:

  • cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where “ID=” {29A0A02F-1E9E-4A50-93C4-1D938C11D8A3}” delete

In the dropped ransom note, victims are given instructions on how they can contact the Bl00dy Ransomware Gang for ransom negotiations.

Additionally, the TAs behind Bl00dy ransomware threaten victims stating that they have penetrated their organization’s network and downloaded all important files. They also mention that they will publish the stolen information to the public if the ransom is not paid.

Figure 12 – Ransom note of Bl00dy Ransomware

The ransom note also has the Telegram link where TAs publish the compromised company’s private data.

The figure below shows the TA’s leaked information as “Telegram hall of shame,” which includes screenshot proofs of the attack, compromised company details, links to download organization data, screenshots of ransom negotiations with the organization, etc.

Figure 13 – Telegram “hall of shame” messages


Bl00dy is a newly discovered ransomware family operated by TAs who continue to breach organizations and demand significant ransom amounts. The TAs also perform double extortion attacks by stealing an organization’s files and leaking them via their Telegram channel if the ransom is not paid.

Ransomware is becoming an increasingly common and effective attack method to target organizations, adversely impacting their productivity, finances, and brand reputation. Organizations need to stay ahead of the techniques used by TAs besides implementing the requisite security best practices and security controls.

Cyble Research & Intelligence Labs (CRIL) continuously monitors new ransomware campaigns to keep our readers updated with our latest findings.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

Safety Measures Needed to Prevent Ransomware Attacks

  • Conduct regular backup practices and keep those backups offline or in a separate network.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.

Users Should Take the Following Steps After the Ransomware Attack

  • Detach infected devices on the same network.
  • Disconnect external storage devices if connected.
  • Inspect system logs for suspicious events.

Impact and Cruciality of Bl00dy Ransomware

  • Loss of valuable data.
  • Loss of the organization’s reputation and integrity.
  • Loss of the organization’s sensitive business information.
  • Disruption in organization operation.
  • Financial loss.

MITRE ATT&CK® Techniques 

TacticTechnique IDTechnique Name
User Execution
Command and Scripting Interpreter
Windows Management Instrumentation
Defense EvasionT1027
Obfuscated Files or Information
Software Packing
System Information Discovery
File and Directory Discovery
Process Discovery
Network Service Discovery
ImpactT1486Data Encrypted for Impact

Indicators of Compromise (IOCs) 

Bl00dy Ransomware

Scroll to Top