BlackByte Ransomware Group Attacked San Francisco 49ers Ahead of Super Bowl

  • Last updated February 14, 2022
  • written by

San Francisco 49ers confirm that they have been attacked hours before the Super Bowl kicks off. BlackByte ransomware gang claims responsibility.

In an official statement, the team said, “it recently became aware of a network security incident” that caused a disruption in their corporate network. The group stole the team’s financial documents.

San Francisco 49ers spokesperson said that after learning of the cyberattack, third-party cybersecurity firms were involved to contain the attack, and the law enforcement agencies have also been informed.

“While the investigation is ongoing, we believe the incedent is limited to our corporate IT network, to date, we have no indication that this incident involves systems outside of our corporate network, such as those connected to Levi’s Stadium operations of ticket holders. As the investigation continues, we are working diligently to restore involved systems as quickly and safely as possible,” said San Francisco 49ers spokesperson.

After the incident, the San Francisco 49ers also showed up on the BlackByte ransomware gang’s site on Sunday. The group posted some stolen documents of the team on the dark web in a file named ‘2020 Invoices.’ The ransomware gang has not made any ransomware demand and has not specified how much data has been stolen.


San Francisco 49ers showed up on BlackByte’s official leak site. (Image: ZDNet)

The attack on the San Francisco 49ers came a day after the FBI’s warning regarding the BlackByte ransomware gang. According to the FBI’s warning:

“As of November 2021, BlackByte ransomware had compromised multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors (government facilities, financial, and food & agriculture). BlackByte is a Ransomware as a Service (RaaS) group that encryps files on compromised Windows host systems, including physical and virtual servers.”

According to the FBI’s report, the threat actors use Microsoft Exchange vulnerabilities to access networks. Once they have access to the network, hackers can deploy various tools to move across the network to “escalate privileges before encrypting files.” In a few incidents, the BlackByte ransomware group has only partially encrypted files.

A report by Red Canary showed that the BlackByte ransomware gained access to the network by exploiting the ProxyShell vulnerabilities on a customer’s Microsoft Exchange server. These vulnerabilities include CVE-2021-34473, CVE-2021-34523, CVE-2021-31207.

The BlackByte ransomware group emerged last year with high-profile targets across the US. Research by Trustwave showed that the BlackByte ransomware uses the same key to encrypt stolen files in AES. Instead of using a unique key for each session, the group uses the same key. Trustwave also uploaded a BlackByte decryptor on GitHub.

According to the FBI, the second version of the ransomware was released in November. Brett Callow, the Emsisoft ransomware expert, said that BlackByte is a Ransomware-as-a-service (RaaS) operation, and the threat actors who use it to carry out cyberattacks may not necessarily be cased in the same country.

Callow said that like other types of ransomware, “BlackByte does not encrypt computers which use the language of Russia and post-Soviet countries.” He said it does not mean that attackers behind this incident are in Russia. “Anyone can use the malware to launch attacks,” says Callow.

Ransomware groups have wreaked havoc in the past few months with high-profile targets. Some high-profile cases this month include the Vodafone Portugal attack and cyberattack on Belgian and Dutch ports.

Leave a Reply

Your email address will not be published. Required fields are marked *