The San Francisco 49ers announced that the BlackByte ransomware organization had targeted them only hours before the Super Bowl. In a statement, the team stated it “recently became aware of a network security incident” that disrupted its corporate IT network.
“Upon learning of the incident, we immediately initiated an investigation and took steps to contain the incident. Third-party cybersecurity firms were engaged to assist, and law enforcement was notified,” as stated by a San Francisco 49ers spokesperson.
While the investigation is ongoing, they think the investigation is restricted to their corporate IT network. At this time, they have no information that this event has affected systems outside of their corporate network, such as those related to Levi’s Stadium operations or ticket holders. They are working carefully to restore impacted services as fast and safely as possible during the ongoing investigation.
Late Saturday evening, the San Francisco 49ers appeared on the ransomware group’s leak site. Two weeks ago, the club was only a few plays away from reaching the Super Bowl. The attack comes after the FBI issued a warning about the BlackByte ransomware gang the day before.
“As of November 2021, BlackByte ransomware had compromised multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors (government facilities, financial, and food & agriculture). BlackByte is a Ransomware as a Service (RaaS) group that encrypts files on compromised Windows host systems, including physical and virtual servers,” the FBI said.
As per some victims, the attackers gained access to their networks by exploiting a known Microsoft Exchange Server flaw. Actors use tools to migrate laterally across the network and elevate privileges before exfiltrating and encrypting files after they’ve gained access. In some instances, the BlackByte ransomware operators have only partly encrypted data.
The gang first surfaced last year, but in October, cybersecurity firm Trustwave was able to make a BlackByte decryptor accessible for download on GitHub.
According to the company’s research, the earliest version of the BlackByte ransomware downloaded and executed the same key to encrypt files in AES, rather than using unique keys for each session as more skilled ransomware operators do. The FBI said that a second, less susceptible version of the ransomware was published in November.
Emsisoft ransomware specialist Brett Callow clarifies that Blackbyte is a Ransomware-as-a-Service (RaaS) operation. Attackers who employ it to execute attacks may or may not be headquartered in the same nation as the lead team. According to a Red Canary investigation of the ransomware, operators got early access to a customer’s Microsoft Exchange server by exploiting the ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).