Hours before the Super Bowl kicks off, the San Francisco 49ers confirmed that they were attacked by the BlackByte ransomware group.
In a statement to ZDNet, the team said it "recently became aware of a network security incident" that caused a disruption to their corporate IT network.
"Upon learning of the incident, we immediately initiated an investigation and took steps to contain the incident. Third-party cybersecurity firms were engaged to assist, and law enforcement was notified," a San Francisco 49ers spokesperson said.
"While the investigation is ongoing, we believe the incident is limited to our corporate IT network; to date, we have no indication that this incident involves systems outside of our corporate network, such as those connected to Levi's Stadium operations or ticket holders. As the investigation continues, we are working diligently to restore involved systems as quickly and as safely as possible."
The San Francisco 49ers showed up on the ransomware group's leak site late Saturday evening. The team was within a few plays of making it to the Super Bowl two weeks ago.
"As of November 2021, BlackByte ransomware had compromised multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors (government facilities, financial, and food & agriculture). BlackByte is a Ransomware as a Service (RaaS) group that encrypts files on compromised Windows host systems, including physical and virtual servers," the FBI said.
"Some victims reported the actors used a known Microsoft Exchange Server vulnerability as a means of gaining access to their networks. Once in, actors deploy tools to move laterally across the network and escalate privileges before exfiltrating and encrypting files. In some instances, BlackByte ransomware actors have only partially encrypted files."
Research by the company showed that the first version of the BlackByte ransomware downloaded and executed the same key to encrypt files in AES -- rather than unique keys for each session -- like those usually employed by more sophisticated ransomware operators. A second, less vulnerable version of the ransomware was released in November, as the FBI noted.
Emsisoft ransomware expert Brett Callow said Blackbyte is a Ransomware-as-a-service (RaaS) operation and the individuals who use it to carry out attacks may or may not be based in the same country as the primary team.
"Like multiple other types of ransomware, Blackbyte does not encrypt computers which use the languages of Russia and post-Soviet countries," Callow said.
A Red Canary analysis of the ransomware found operators gained initial access by exploiting the ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) present on a customer's Microsoft Exchange server.