Data stolen in ransomware attack on San Francisco 49ers

American football team the San Francisco 49ers has been struck by a ransomware attack with financial data stolen.

The credit for the attack has been taken by a ransomware gang going by the name of BlackByte. The gang first emerged in July and was the subject of a joint cybersecurity advisory by the U.S. Federal Bureau of Investigation and the Secret Service on Feb. 11.

BlackByte is said to have previously targeted multiple U.S. and foreign businesses, including entities in at least three U.S. critical infrastructure sectors. The gang runs a ransomware-as-a-service operation that encrypts files on compromised Windows host systems, including physical and virtual services.

“BlackByte is a growing ransomware operator that has had success following successful patterns implemented by previous groups,” Matthew Warner, chief technology officer and co-founder at automated threat detection and response company Blumira Inc., told SiliconANGLE. “Similar to Conti ransomware, BlackByte has been identified using Exchange vulnerabilities such as ProxyShell to gain a foothold in environments. Additionally, BlackByte utilizes well-proven tactics such as Powershell exploitation of obfuscated base64 content to perform all encryption on hosts once exploited.”

The news that the 49ers had been hacked first came after BlackByte published samples of stolen documents on its dark web page over the weekend. The team subsequently confirmed it had been hacked on Sunday, describing the attack as a “network security incident” that had disrupted some of its corporate IT network systems.

The 49ers ticked off the standard responses to a ransomware attack, saying that they had informed law enforcement and had hired a third-party cybersecurity company to assist in an investigation. The team added that they “no indication that this incident involves systems outside of our corporate network, such as those connected to Levi’s Stadium operations or ticket holders.” Levi’s Stadium is the 49ers home stadium.

It’s not clear what the ransom amount being demanded by BlackByte is, but typical attacks by such groups usually involve ransom demands in the millions.

Anneka Gupta, chief product officer at cloud data management company Rubrik Inc. noted that the “ransomware attack on the San Francisco 49ers demonstrates how ransomware is infiltrating every aspect of our lives, from critical infrastructure, such as schools and hospitals to professional sports teams and entertainment.”

“Ransomware-as-a-service groups, including BlackByte, have evolved into incredibly well-funded, sophisticated organizations whose entire purpose is to wreak havoc on victims in hope of payout,” Anneka added. “Alarmingly, often these groups purposefully carry out attacks during holidays — or during the biggest event of the NFL season when all eyes are on the league — in hopes that their victims will be unprepared.”

Keith Neilson, technical evangelist at cyber asset management company CloudSphere, warned that “while the San Francisco 49ers discovered a ransomware attack and acted immediately to remediate disruptions to their network, less high-profile organizations may not be as fortunate.”

Photo: John Martinex Pavliga/Wikimedia Commons