CISA: Bl00dy Ransomware Gang using printer vulnerability to attack schools

The Cybersecurity and Infrastructure Security Agency (CISA) and FBI said a relatively new ransomware group has been exploiting an issue with a popular printing software to attack schools across the U.S.

In an advisory on Thursday, CISA said that since the middle of April the Bl00dy Ransomware Gang has been exploiting CVE-2023-27350 – a vulnerability discovered earlier this year that affects PaperCut software used by tens of thousands of companies, schools, and government agencies around the world.

CISA specifically urged K-12 schools to patch the vulnerability and use the detection methods in this advisory.

The agencies said organizations that did not immediately patch the bug should “assume compromise and hunt for malicious activity using the detection signatures in this CSA.”

“Education Facilities Subsector entities maintained approximately 68% of exposed, but not necessarily vulnerable, U.S.-based PaperCut servers. In early May 2023, according to FBI information, the Bl00dy Ransomware Gang gained access to victim networks across the Education Facilities Subsector where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the internet,” the agencies said in the advisory.

“Ultimately, some of these operations led to data exfiltration and encryption of victim systems. The Bl00dy Ransomware Gang left ransom notes on victim systems demanding payment in exchange for decryption of encrypted files.”

CISA ordered all federal civilian agencies to patch the vulnerability by May 12 but that has not stopped both cybercriminals and nation-states from using it to attack a variety of organizations.

Since a March 8 advisory from PaperCut, several ransomware groups, including Clop and LockBit, have been seen exploiting the bug, according to Microsoft. Last week, Microsoft said two nation-state actors from Iran were seen exploiting it as well.

CISA explained that there are currently two publicly known proofs of concept for achieving remote code execution in vulnerable PaperCut software that allow hackers to take a range of actions in a victim’s system.

The advisory provides a sample of the ransomware note from Bl00dy, which provides victims with an email to contact for ransom negotiations.

The advisory comes amid a string of ransomware attacks on K-12 schools, colleges and universities, hindering final exams and commencement ceremonies across the U.S.