San Francisco 49ers confirms it fell victim to BlackByte ransomware on Super Bowl Sunday
The group has been on a spree, compromising systems worldwide, including critical US infrastructureBy Cal Jeffrey
Editor's take: This year's Super Bowl was not very exciting. The game was low-scoring, and the halftime show was lackluster. The only interesting thing that happened on Super Bowl Sunday is the San Francisco 49ers, who wasn't even in the game, confirmed it got hacked.
Over the weekend, the BlackByte ransomware group's dark web blog touted that it had hacked servers belonging to the San Francisco 49ers and encrypted them. It wants $530 million for the key. The post contains a file called "2020 Invoices" to prove it has company data. Ars Technica notes that the cache holds hundreds of billing statements to entities including AT&T, Pepsi, and the city of Santa Clara.
A representative for the team confirmed on Sunday that BlackByte attacked it the day before, but it appears that only the corporate offices were involved. Records at Levi's Stadium, San Francisco's home field, are safe, and ticket holders have nothing to fear.
"While the investigation is ongoing, we believe the incident is limited to our corporate IT network," said the spokesperson. "To date, we have no indication that this incident involves systems outside of our corporate network, such as those connected to Levi's Stadium operations or ticket holders."
On the eve of the #SuperBowl the #49ers get posted as a #Blackbyte #ransomware victim. Smart marketing tbh. #infosec #cybersecurity #threatintel #cyber #NFL pic.twitter.com/tl7OWM2Aqf--- CyberKnow (@Cyberknow20) February 12, 2022
The ransomware attack came only a day after the FBI and the US Secret Service issued a warning that the BlackByte hacking group has compromised no fewer than three critical infrastructure sectors in the United States. The report published on Friday says that as of November 2021, BlackByte had infected multiple "government facilities, financial, and food & agriculture" systems with ransomware.
"The BlackByte executable leaves a ransom note in all directories where encryption occurs. The ransom note includes the .onion site that contains instructions for paying the ransom and receiving a decryption key," the notice says. "Some victims reported the actors used a known Microsoft Exchange Server vulnerability as a means of gaining access to their networks. Once in, actors deploy tools to move laterally across the network and escalate privileges before exfiltrating and encrypting files."
The joint task force warning includes technical details and mitigation procedures for IT personnel to protect their companies against BlackByte attacks.