49ers have confirmed that it is the latest victim of the BlackByte ransomware gang.
Hugely popular NFL franchise’s team San Francisco 49ers is the latest victim of a ransomware gang’s malicious objectives. Reportedly, attackers encrypted files on the team’s corporate IT network right before the Super Bowl kicked off.
According to a spokesperson of the 49ers, they experienced a ‘network security incident’ that disrupted several organization computer systems. The news of the ransomware attack broke a few hours before Super Bowl LVI in which the 49ers would have been a part of had the team not lost to the Los Angeles Rams two weeks back.
The spokesperson also claimed that the attack was limited to their corporate IT network and didn’t impact the computer systems used in the stadium operations of 49ers or procedures linked to ticket holders.
As soon as the incident was identified, the management initiated an investigation and took the necessary steps to contain the attack. They hired cybersecurity firms to deal with the issue and also notified law enforcement authorities.
BlackByte Responsible for the Attack
The San Francisco 49ers’ management confirmed that BlackByte ransomware operators are responsible for the attack. The gang, which uses BlackByte ransomware to encrypt files on targeted machines, had listed the 49ers as their potential victims on a Dark Web’ leak site’ on Saturday. The gang uses this site to embarrass victims and pressurize them into paying the ransom/extortion money.
While the investigation is ongoing, we believe the incident is limited to our corporate IT network; to date, we have no indication that this incident involves systems outside of our corporate network, such as those connected to Levi’s Stadium operations or ticket holders. As the investigation continues, we are working diligently to restore involved systems as quickly and as safely as possible.
Spokesperson – 49ers
Had the team made it to the Super Bowl, this attack could have caused serious disruption to the team’s preparations. It is also unclear how this incident will affect 49ers’ planning for the next NFL year, which starts in late February.
Who is BlackByte ransomware?
BlackByte ransomware gang is among the many small ransomware collectives active nowadays. The group operates on a RaaS/ransomware-as-a-service model. They rent out the ransomware to affiliates for carrying out ransomware attacks, steal files from the hacked machines and encrypt them.
The group has been active since September 2021. Their first ransomware version wasn’t too sophisticated as cybersecurity firm Trustwave could identify vulnerabilities and quickly created a free decrypter. The group then released a second ransomware version sans the encryption bug and has used it in its attacks ever since.
FBI’s Alert about BlackByte
On February 11, the US Federal Bureau of Investigation (FBI) issued a security alert, warning users about BlackByte attacks. The agency stated that the group targets US and international businesses “including entities in at least three US critical infrastructure sectors (government facilities, financial, and food & agriculture).”
Some victims reported the actors used a known Microsoft Exchange Server vulnerability as a means of gaining access to their networks. Once in, actors deploy tools to move laterally across the network and escalate privileges before exfiltrating and encrypting files. In some instances, BlackByte ransomware actors have only partially encrypted files.
The FBI
Ironically, the alert was released just one day before the 49ers confirmed becoming the victim of BlackByte ransomware operators.
