San Francisco 49ers Hit by Ransomware

Cyber-criminals have attacked the San Francisco 49ers American football team with ransomware.

The National Football League (NFL) team, whose mascot is a gold miner named Sourdough Sam, confirmedthe attack one day before Sunday's Super Bowl that saw the Los Angeles Rams secure a victory at home in the final minutes of a close-run game. 

Confirmation of the attack came after the 49ers were listed on a dark web leak site as a victim of ransomware-as-a-service (RaaS), BlackByte. The attack could have been carried out by the creators of the ransomware of by an affiliate accessing the malware in return for a share of any illegal proceeds gained through its use.

"BlackBytes is a RaaS that launched in the middle of last year and, like multiple other ransomware families, it's coded to avoid encrypting systems that use the languages of Russia or other post-Soviet countries," saidEmsisoft threat analyst Brett Callow. 

Cyber-criminals claim to have stolen some of the San Francisco team's financial data including invoices from 2020. With an estimated value of $4.175B, the 49ers are the sixth most valuable team in the NFL. 

The 49ers said in a statement that it had suffered a "network security incident" that had temporarily disrupted its corporate network. 

“To date, we have no indication that this incident involves systems outside of our corporate network, such as those connected to Levi’s Stadium operations or ticket holders,” said the team. 

News of the attack on the 49ers followed the issuance of a joint security advisory on BlackByte ransomware by the FBI and Secret Service on February 11.

"As of November 2021, BlackByte ransomware had compromised multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors (government facilities, financial, and food & agriculture). BlackByte is a Ransomware as a Service (RaaS) group that encrypts files on compromised Windows host systems, including physical and virtual servers," warned the advisory.

Matthew Warner, CTO and co-founder at Blumira, said that like Conti ransomware, BlackByte had been identified using exchange vulnerabilities such as ProxyShell to gain a foothold in environments. 

"BlackByte utilizes well-proven tactics such as Powershell exploitation of obfuscated base64 content to perform all encryption on hosts once exploited," commented Warner. 

What’s Hot on Infosecurity Magazine?