Posted on February 14, 2022 at 5:33 PM

BlackByte ransomware group attacks San Francisco 49ers

The San Francisco 49ers has been the latest victim of an attack by the BlackByte ransomware group. The team was attacked just a few hours before the Super Bowl event started.

The team was added to the list of victims that have been hit by this ransomware group. It has since confirmed that this attack happened. In a statement, it said that it had “recently become aware of a network security incident.”

San Francisco’s 49ers attacked by ransomware group

In a statement, a spokesperson from the team said that “Upon learning of the incident, we immediately initiated an investigation and took steps to contain the incident. Third-party cybersecurity firms were engaged to assist, and law enforcement was notified.

San Francisco 49ers said that the investigation on this matter had been launched. It further added that the preliminary investigation showed that the attack was limited to its corporate IT network.

“To date, we have no indication that this incident involves systems outside of our corporate network, such as those connected to Levi’s Stadium operations or ticket holders. As the investigation continues, we are working diligently to restore involved systems as quickly and as safely as possible,” the spokesperson added.

On Saturday evening, the team’s name appeared on the leak site of the BlackByte ransomware group. Two weeks before the event, the San Francisco 49ers were a few plays to being in the Super Bowl.

Threat of the BlackByte ransomware group has increased

The Federal Bureau of Investigations (FBI) recently released a warning over the BlackByte ransomware group. This group has been attributed to a series of attacks in the US and other countries. The group is not specific in the infrastructure or the organization they need to attack, making it a major threat towards critical sectors.

The warning from the FBI stated that “As of November 2021, BlackByte ransomware had compromised multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors (government facilities, financial, and food & agriculture). BlackByte is a Ransomware as a Service (RaaS) group that encrypts files on compromised Windows host systems, including physical and virtual servers.”

The FBI also illustrated the different ways that this hacking group conducted its attacks. Some of the targeted victims stated that they exploited a vulnerability on Microsoft exchange servers. Depending on the cybersecurity systems installed by an organization, the ransomware group could completely encrypt the data or partially encrypt it.

“Some victims reported the actors used a known Microsoft Exchange Server vulnerability as a means of gaining access to their networks. Once in, the actors deploy tools to move laterally across the network and escalate privileges before exfiltrating and encrypting files. In some instances, BlackByte ransomware actors have only partially encrypted files.”

The claims made by these victims have been substantiated by an analysis from Red Canary that analyzed the operations of the ransomware group. According to the analysis, the attackers gained initial access to the network by exploiting the vulnerabilities present in the ProxyShell vulnerabilities. The vulnerabilities labelled CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207 are found in the Microsoft Exchange server.

The BlackByte ransomware group has posed a major threat to organizations and government bodies despite its first operations being detected last year. Most new threat groups are hard to issue protections against because of new and advanced techniques; the same has not applied for the BlackByte ransomware group.

In October last year, TrustWave, a cybersecurity company, created a BlackByte decryptor. This feature is available for download from GitHub. Research from the company revealed that the initial version of the BlackByte ransomware group installed and executed the same key. The key was used to encrypt files. This mode of operation is different from what is used by sophisticated ransomware operators that use unique keys for every session, making it hard for cybersecurity companies to decrypt the files.

The FBI has further stated that a less vulnerable version of the ransomware was released in November. The release coincided with the launch of the decryptor by TrustWave. This version still poses a major threat to organizations.

Brett Callow, a ransomware expert from Emsisoft, stated that BlackByte is a Ransomware-as-a-service (RaaS) operation. According to Callow, the individuals behind this ransomware attack could be from the same country or not.

While these ransomware attacks have not been linked to any country, Callow added that “like multiple other types of ransomware, BlackByte does not encrypt computers which use the languages of Russia and post-Soviet countries.”