Menu
Browse

Cyber Threat Actor: BL00DY

Actor Type Location Known Incidents
 Icon
Criminal
5 incidents
Profile

The threat actor known as BL00DY, also identified as Bl00dy Ransomware Gang, Bloody Ransomware Gang, or Bloody Gang, operates as a financially motivated ransomware group. Publicly documented operations indicate a pattern of targeting organizations across multiple sectors, including education, manufacturing, healthcare, and textiles. Victims have been geographically dispersed, with confirmed incidents affecting entities in the United States, Venezuela, and Italy. The group employs double extortion tactics, encrypting victim systems while exfiltrating sensitive data to pressure organizations into paying ransoms. They publicly claim responsibility for attacks, often using social media platforms like Twitter and Telegram to publish proof of compromise, including financial records, tax documents, QuickBooks files, screenshots, and CSV files. Ransom demands are accompanied by deadlines, with threats to release additional stolen data if payment is not made.

BL00DY has demonstrated ties to established ransomware operations, described as an offshoot of LockBit that leveraged LockBit’s leaked malware builder to develop its own variant encrypting files with a .bl00dy extension. The group shifts between malware families to evade detection while incorporating functionalities from multiple sources. Initial access vectors and tooling specifics remain unspecified in available reports. Notable campaigns include the May 2023 breaches of Socrates Academy and Movement School in North Carolina, where they leaked sensitive financial data; the January 2023 attack on Venezuelan textile firm Telas Palo Grande, disclosing operational records via Telegram; and the December 2022 encryption of Italian metal manufacturer Lucchini Group’s servers, accompanied by warnings against independent recovery attempts due to persistent backdoor infections. In the Lucchini case, BL00DY issued a seven-day negotiation ultimatum. Earlier operations include a May 2022 incident targeting New York medical practices, where they allegedly exfiltrated patient data and insurance documents. The group maintains a persistent presence on Telegram for recruitment, negotiation, and data leaks, reflecting a structured approach to extortion and operational secrecy.

Incidents
Attributed incidents available to members
5 incidents
Sources
Sources available to members
4 sources