Cyber Threat Actor: Bl00dy Ransomware Gang
| Actor Type | Location | Known Incidents |
Crime Syndicate
|
Russia
|
2 incidents |
|---|
Profile
The Bl00dy Ransomware Gang, also tracked as the Everest Ransomware Gang, is a cybercriminal group that has been linked to Russia in open‑source reporting. It first appeared on Telegram in mid‑2022 and has since claimed responsibility for a series of intrusions targeting healthcare providers, educational institutions, industrial manufacturers and a Venezuelan textile company. The gang’s public statements consistently describe its goals as financial gain, either through ransom payments for decryption keys or by threatening to sell exfiltrated data on underground markets. In the New York medical practice incident of May 2022 the actors alleged they had stolen approximately 900 GB of patient information, including names, addresses, Social Security numbers and dates of birth, and warned that the data would be offered for sale if demands were not met. Similar financial motives were expressed in the claims against the North Carolina schools, the Venezuelan firm Telas Palo Grande and the Italian Lucchini Group, where the gang demanded payment for decryption tools and warned of permanent damage if victims attempted recovery without assistance.
Technical details disclosed by the group indicate that its ransomware strain is derived from the leaked Lockbit builder, allowing the gang to generate a custom variant that appends the .bl00dy extension to encrypted files. The actors have described a practice of continually switching between different malware families to evade detection, a tactic they claim provides them with the advantages of multiple code bases. Beyond deploying ransomware, the gang advertises its services on Telegram, offering custom builds for Linux, Windows, NAS and ESXI environments for a flat fee of $800 and promising an 80/20 profit split to purchasers. They also recruit penetration testers and other skilled individuals, suggesting a business model that blends malware development with a affiliate‑like distribution network. While specific initial‑access vectors are not detailed in the available sources, the group’s posts reference having taken servers offline and possessing backdoor access to victim networks, implying persistence mechanisms are part of their operational repertoire.
Publicly attributed operations include the May 2022 breach of Primary Care of Long Island and associated vendors in New York, the May 2023 claim of compromising Socrates Academy and Movement School in North Carolina, the January 2023 assertion of an attack on the Venezuelan textile company Telas Palo Grande and the December 2022 declaration of intrusion into the Italian Lucchini Group’s manufacturing infrastructure. In each case the gang posted proof‑of‑concept material such as screenshots, CSV files or chat logs on its Telegram channel, although the victim organizations have not universally confirmed the incidents or disclosed the full impact. The repeated pattern of claiming data theft, threatening sale, offering decryption tools for payment and leveraging a Lockbit‑derived malware family constitutes the observable footprint of the Bl00dy Ransomware Gang based on the presently documented evidence.
