Bl00dy Ransomware Gang Targets Schools

A padlock with a skull and crossbones on it locks a computer's keyboard.
Photo ID: 73658863 © tonsnoei/

The Bl00dy Ransomware Gang is exploiting a vulnerability in print management software PaperCut to target schools, according to an advisory by CISA

While PaperCut fixed this vulnerability in March, not all organizations applied the patch immediately. CISA recommends these organizations consider themselves compromised and look for malicious activity.

The Bl00dy Ransomware Gang

The Bl00dy Ransomware Gang began their attacks on educational institutions in early May. CISA reports some of their attempts to exploit the vulnerable print management software were successful, leading to “data exfiltration and encryption of victim systems.” In other words, the Gang stole files from schools, before locking the schools’ copies so they could not access them.

The Gang then extorted their victims, requesting money to unlock the encrypted files and not publish the stolen data. 

As schools can hold extremely sensitive data about their students and staff, publicly leaking that information has the potential for significant harm. For example, data stolen from the Minneapolis Public School District and leaked online by the Medusa ransomware group earlier this year included detailed reports of rape and child abuse.

Leaking Stolen Files on Twitter

The Bl00dy Ransomware Gang have already posted links to some stolen school data on their Twitter account. Yesterday, they threatened to release more stolen information from one school since it “refused to come into agreement with the team.” The group tauntingly tagged CISA and tech news site BleepingComputer in a tweet directly following this threat.

Bl00dy Ransomware Gang;
Your remaining files/documents
will be Published online here for freee
As you refused to come into agreement with the team.
Time is Money
!!time is ticking!!
Ok emoji x 3
The Bl00dy Ransomware Gang threatens to release more stolen school data on Twitter.

Using Twitter to distribute information stolen in a hack directly violates the social media platform’s hacked materials policy. The policy explicitly states, “we do not allow the people or groups directly associated with a hack to use Twitter to distribute hacked materials.” 

Safe Not Scammed previously reported the Bl00dy Ransomware Gang’s Twitter account, but was told it was not violating Twitter’s rules. Tweets from Safe Not Scammed asking if this was a mistake did not receive a response.

Leave a Comment

Your email address will not be published. Required fields are marked *