UPDATED 20:41 EDT / FEBRUARY 14 2022

SECURITY

Data stolen in ransomware attack on San Francisco 49ers

The San Francisco 49ers American football team has been struck by a ransomware attack, with financial data stolen.

Credit for the attack has been taken by a ransomware gang going by the name of BlackByte. The gang first emerged in July and was the subject of a joint cybersecurity advisory by the U.S. Federal Bureau of Investigation and the Secret Service on Feb. 11.

BlackByte is said to have previously targeted multiple U.S. and foreign businesses, including entities in at least three U.S. critical infrastructure sectors. The gang runs a ransomware-as-a-service operation that encrypts files on compromised Windows host systems, including physical and virtual services.

“BlackByte is a growing ransomware operator that has had success following successful patterns implemented by previous groups,” Matthew Warner, chief technology officer and co-founder at automated threat detection and response company Blumira Inc., told SiliconANGLE. “Similar to Conti ransomware, BlackByte has been identified using Exchange vulnerabilities such as ProxyShell to gain a foothold in environments. Additionally, BlackByte utilizes well-proven tactics such as Powershell exploitation of obfuscated base64 content to perform all encryption on hosts once exploited.”

The news that the 49ers had been hacked first came after BlackByte published samples of stolen documents on its dark web page over the weekend. The team subsequently confirmed it had been hacked on Sunday, describing the attack as a “network security incident” that had disrupted some of its corporate information technology network systems.

The 49ers ticked off the standard responses to a ransomware attack, saying that it had informed law enforcement and hired a third-party cybersecurity company to assist in an investigation. The team added that it has “no indication that this incident involves systems outside of our corporate network, such as those connected to Levi’s Stadium operations or ticket holders.” Levi’s Stadium is the 49ers home stadium, in Santa Clara, California.

It’s not clear what ransom amount is being demanded by BlackByte, but typical attacks by such groups usually involve ransom demands in the millions.

Anneka Gupta, chief product officer at cloud data management company Rubrik Inc., noted that the attack demonstrates how ransomware is infiltrating every aspect of our lives, from critical infrastructure such as schools and hospitals to professional sports teams and entertainment.

“Ransomware-as-a-service groups, including BlackByte, have evolved into incredibly well-funded, sophisticated organizations whose entire purpose is to wreak havoc on victims in hope of payout,” Anneka added. “Alarmingly, often these groups purposefully carry out attacks during holidays — or during the biggest event of the NFL season when all eyes are on the league — in hopes that their victims will be unprepared.”

Keith Neilson, technical evangelist at cyber asset management company CloudSphere, warned that “while the San Francisco 49ers discovered a ransomware attack and acted immediately to remediate disruptions to their network, less high-profile organizations may not be as fortunate.”

Photo: John Martinex Pavliga/Wikimedia Commons

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU