One of the teams in the National Football League (NFL) ended up falling victim to a ransomware hack with the attackers saying they purloined the teams financial data.

The San Francisco 49ers suffered the attack at the hands of ransomware gang BlackByte. The attackers appeared to have posted some of the stolen team documents on a site on the dark web in a file marked “2020 Invoices,” according to a report from The Associated Press. The gang did not make its ransom demands public or specify how much data it had stolen or encrypted.


The team said in a statement Sunday it recently became aware of a “network security incident” that had disrupted some of its corporate IT network systems. The 49ers said they’d notified law enforcement and hired cybersecurity firms to assist.

Learning Details
“To date, we have no indication that this incident involves systems outside of our corporate network, such as those connected to Levi’s Stadium operations or ticket holders,” the team said in a statement.

News of the attack comes two days after the FBI and U.S. Secret Service issued an alert on BlackByte ransomware, saying it had “compromised multiple U.S. and foreign businesses, including entities in at least three U.S. critical infrastructure sectors” since November.

Ransomware gangs, which hack targets and hold their data hostage through encryption, have caused widespread havoc in the last year with high-profile attacks on JBS, a global meat supplier, and Colonial Pipeline, a large East Coast fuel pipeline in the U.S.

But the ransomware attacks have not stopped there, and have continued to ratchet up with more victims including a German fuel depot, a fuel depot on Belgium among others.

BlackByte is a ransomware-as-a-service group. That means it’s decentralized, with independent operators developing the malware, hacking into organizations or filling other roles. It’s part of a trend of ransomware groups becoming increasing professionalized. A recent report by the FBI, NSA and others said that ransomware operators are even setting up an arbitration system to resolve payment disputes among themselves.

“Similar to other ransomware operators, BlackByte’s techniques aren’t necessarily sophisticated but they are impactful, tried-and-true tactics,” said Harrison Van Riper, senior intelligence analyst at Red Canary. “In this instance, the bad actors gained access by exploiting a vulnerability in the company’s Microsoft Exchange server, installing a web shell and then dropping the popular adversarial tool, Cobalt Strike. What did stand out was BlackByte’s use of print bombing, whereby operators sent hourly physical ransom notes to all printers connected to the infected machine, ensuring that there was no question that the targets had fallen victim to a ransomware attack. The encryption phase was also unusual, as in an effort to find new ways to evade defenses, bad actors attempted to delete a scheduled task for a so-called ransomware vaccine, or ‘Raccine.’

“Another noteworthy part of BlackByte’s operation is their ability to escalate privileges. Typically, we would expect Cobalt Strike to be the main driver behind privilege escalation and lateral movement within a compromised environment. However, BlackByte handles both of those on its own. In a sample we observed last year, BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption.

“In the case of the 49ers incident from this weekend, it’s most important to have a plan in place before an attack, as there isn’t a worse time to discover you don’t have a ransomware response plan than right in the middle of an attack,” Van Riper said. “Once an adversary has already entered your environment, the best way to prevent a widespread ransomware infection is to identify precursor activity, such as shadow copy deletion, suspicious registry modification or unusual process behavior.”

“Despite the amount of news coverage devoted to ransomware attacks, no amount of awareness seems to stunt their growth,” said Chris Olson, chief executive and co-founder of the Media Trust, a digital security, trust and safety provider. “Ransonware-as-a-service (RaaS) is the new mafia. As we are seeing with small players like BlackByte, as the cybercriminal underclass grows so will the black market for ransomware, malware, exploits and sensitive data harvesting.

Basic Level of Attack Knowledge
“With these shadow markets in place, hacking skills aren’t needed to target organizations across any industry: Nation states, terrorist groups and profit-seekers can infiltrate a business by simply paying someone else to do it for them. It doesn’t take God-like powers to pull off a ransomware attack, all it takes is the basic knowhow to exploit backdoor channels hidden across all modern websites and applications.”

“The attack on the SF 49ers would have gotten a lot more national attention if they had won their playoff game, but the impact is familiar,” said Saryu Nayyar, chief executive and founder of Gurucul. “Ransomware attackers are more frequently not just encrypting data but stealing data first and making it available on the dark web even as they demand payment from organizations to restore the data for their own usage. Regardless of the complexity of ransomware, it tends to follow a typical attack pattern that requires multiple stages to execute, and it all starts with the initial compromise, often a phishing attack. Security teams need to invest in advanced solutions that leverage multiple out-of-the-box analytics and machine learning models to identify new ransomware variants without relying on vendor updates. This can provide the necessary automated detection at the earlier stages of the ransomware campaign. Security teams can then be provided enough context and high-fidelity detection confirmation to execute a response for eradicating the ransomware fully prior to data loss or encryption of data.”