The BlackByte Ransomware Gang Is Back At Work, Now It's The San Francisco 49ers' Turn

The San Francisco 49ers, an NFL member club was hit by a ransomware attack. (photo: doc. San Francisco 49ers, )

JAKARTA - The San Francisco 49ers, an NFL member club, was hit by a major ransomware attack in the last Super Bowl. The NFL has also confirmed to ZDNet that it has been attacked by the BlackByte ransomware group, but luckily the attack itself was somewhat limited.

In a statement confirming the incident, 49ers said it was "recently aware of a network security incident" that disrupted its corporate IT network, but nothing more.

"Upon becoming aware of the incident, we immediately initiated an investigation and took steps to contain the incident. A third-party cybersecurity company was engaged to assist, and law enforcement was notified," the statement added as quoted by TechRadar.

"While the investigation is ongoing, we believe the incident was confined to our corporate IT network. To date, we have no indication that this incident involved systems outside our corporate network, such as those connected to Levi's Stadium operations or ticket holders. Investigations are ongoing. , we are making every effort to restore the systems involved as quickly and safely as possible," the statement added.

Ransomware operators usually have websites, where they advertise data stolen from the endpoints they compromised and which they intentionally want to leak to the public. Data from the San Francisco 49ers themselves reportedly appeared on the site Saturday night, just hours before the Super Bowl.

ZDNet also hinted that the FBI may have known about the hack beforehand, as the law enforcement agency had issued a warning about BlackByte just a day before the incident was made public.

"Starting November 2021, the BlackByte ransomware has disrupted several US and foreign businesses, including entities in at least three critical US infrastructure sectors (government facilities, finance, and food & agriculture). BlackByte is a Ransomware as a Service (RaaS) group that encrypts files on compromised Windows host systems, including physical and virtual servers," the FBI warned earlier.

"Several victims reported that perpetrators used a known Microsoft Exchange Server vulnerability as a means to gain access to their network. Once logged in, perpetrators used tools to move laterally across the network and increase privileges before extracting and encrypting files. In some cases, ransomware actors BlackByte only has partially encrypted files."

BlackByte, a Ransomware-as-a-service (RaaS) operation, was founded about last year. The master key (a decryptor, basically), is available in October 2021 by cybersecurity researchers from Trustwave.