San Francisco’s 49ers Pwned In Ransomware Attack

Hot off the heels of the Super Bowl, come reports of BlackByte ransomware attacking NFL’s San Francisco’s 49ers. The news was confirmed yesterday in a statement to Bleeping Computer.

“The San Francisco 49ers recently became aware of a network security incident that resulted in temporary disruption to certain systems on our corporate IT network. Upon learning of the incident, we immediately initiated an investigation and took steps to contain the incident.

Third-party cybersecurity firms were engaged to assist, and law enforcement was notified.

While the investigation is ongoing, we believe the incident is limited to our corporate IT network; to date, we have no indication that this incident involves systems outside of our corporate network, such as those connected to Levi’s Stadium operations or ticket holders.

As the investigation continues, we are working diligently to restore involved systems as quickly and as safely as possible.”

Additionally, in a TLP: WHITE joint cybersecurity advisory released Friday, the FBI has revealed that the BlackByte group had breached the networks of at least three organizations from the US critical infrastructure sectors in the last three months. 

Chris Olson, The Media Trust had this commentary:

“Despite the amount of news coverage devoted to ransomware attacks, no amount of awareness seems to stunt their growth. Ransonware-as-a-service (RaaS) is the new mafia. As we are seeing with small players like BlackByte, as the cybercriminal underclass grows so will the black market for ransomware, malware, exploits and sensitive data harvesting.”

“With these shadow markets in place, hacking skills aren’t needed to target organizations across any industry: nation states, terrorist groups and profit-seekers can infiltrate a business by simply paying someone else to do it for them. It doesn’t take god-like powers to pull off a ransomware attack, all it takes is the basic knowhow to exploit backdoor channels hidden across all modern websites and applications.”

You know things are serious when pro sports teams start getting pwned. Hopefully this story has a happy ending for them.

UPDATE: Saryu Nayyar, CEO and Founder, Gurucul provided additional commentary:

“The attack on the SF 49ers would have gotten a lot more national attention if they had won their playoff game, but the impact is familiar. Ransomware attackers are more frequently not just encrypting data but stealing data first and making it available on the dark web even as they demand payment from organizations to restore the data for their own usage. Regardless of the complexity of ransomware, it tends to follow a typical attack pattern that requires multiple stages to execute, and it all starts with the initial compromise, often a phishing attack. Security teams need to invest in advanced solutions that leverage multiple out-of-the-box analytics and machine learning models to identify new ransomware variants without relying on vendor updates. This can provide the necessary automated detection at the earlier stages of the ransomware campaign. Security teams can then be provided enough context and high-fidelity detection confirmation to execute a response for eradicating the ransomware fully prior to data loss or encryption of data.” 

UPDATE #2: Saumitra Das, CTO and Cofounder, Blue Hexagon added these comments:

“Ransomware operators are getting even more organized with initial access brokers getting initial footholds followed by affiliates who move laterally and find the important assets before deploying the actual ransomware from an entity like BlackByte. BlackByte has been observed going after critical US infra as well apart from entities like the 49ers which is a new trend again after the cooling-off from the Colonial pipeline attack after which some ransomware gangs were lying low and only going after mid-size organizations to escape scrutiny. This news comes on the heels of the joint cybersecurity advisory ( that shows that attackers are not just encrypting data but now doing triple extortion to find a way to blackmail the victim. One of the key newer methods is public naming and brand harm by informing partners, shareholders, and customers as well as cutting off the Internet access for the victim.”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: