While their downstate rivals the Los Angeles Rams were busy winning Super Bowl LVI, the San Francisco 49ers were being clipped in a ransomware attack.
News of the attack was reported by the Associated Press after cybercriminals posted documents to the dark web that they claimed were stolen from the NFL franchise.
In a public statement obtained by TechNewsWorld, the team noted: “We recently became aware of a network security incident that resulted in temporary disruption to certain systems on our corporate IT network.”
“Upon learning of the incident, we immediately initiated an investigation and took steps to contain the incident,” it continued. “Third-party cybersecurity firms were engaged to assist, and law enforcement was notified.”
“While the investigation is ongoing, we believe the incident is limited to our corporate IT network; to date, we have no indication that this incident involves systems outside of our corporate network, such as those connected to Levi’s Stadium operations or ticket holders,” it noted.
“As the investigation continues, we are working diligently to restore involved systems as quickly and as safely as possible,” it added.
Ransomware as a Service
According to the AP, the BlackByte ransomware gang was behind the attack on the 49ers’ computer systems.
On Friday, the FBI and U.S. Secret Service issued a joint cybersecurity advisory on the group. It stated that as of November 2021, BlackByte ransomware had compromised multiple U.S. and foreign businesses, including entities in at least three U.S. critical infrastructure sectors — government facilities, financial, and food and agriculture.
The advisory noted that some victims of BlackByte attacks reported the bad actors used a known Microsoft Exchange Server vulnerability as a means of gaining access to their networks. Once in, actors deployed tools to move laterally across the network and escalate privileges before exfiltrating and encrypting files.
It explained that BlackByte is a ransomware as a service (RaaS) group that encrypts files on compromised Windows host systems, including physical and virtual servers.
“BlackByte ‘partners’ with affiliates to enable cybercriminals to quickly launch ransomware extortion campaigns,” explained Francisco Donoso, senior director for global security strategy at Kudelski Security, a cybersecurity company in Phoenix.
“The BlackByte gang develops the ransomware tooling, procedures and techniques that an affiliate can use to launch a ransomware attack,” he told TechNewsWorld.
BlackByte is more like a software company than a traditional attacker, added Tim Erlin, vice president of product management and strategy at Tripwire, a cybersecurity threat detection and prevention company in Portland, Ore. Because of that, he told TechNewsWorld, “the actual attacker isn’t necessarily part of the gang itself.”
The FBI/Secret Service advisory explained that BlackByte’s malware leaves a ransom note in all directories where encryption occurs. The ransom note includes the .onion site that contains instructions for paying the ransom and receiving a decryption key.
After posting the purported data from the 49ers’ systems, no ransom demands were made public by the group, nor did they indicate how much data they had stolen or encrypted, the AP reported.
“Just because the disclosure of exfiltrated data did not include a public ransom demand doesn’t mean that one wasn’t made,” Donoso said.
“Most ransomware threat actors don’t necessarily make the demand for ransom public,” he continued. “Posting the exfiltrated data is mostly to encourage the victims to pay the ransom already requested, even if they have backups of the data or a ransomware recovery strategy.”
“This is known as a ‘double-extortion’ scheme, where the files are not only encrypted but also stolen,” added Gustavo Palazolo, a staff threat research engineer at Netskope, a cloud security provider in Santa Clara, Calif.
“Usually, this negotiation is done through a private website hosted on the deep web,” he told TechNewsWorld. “If the victim doesn’t pay the ransom, the group may publish parts of the stolen data on a public website on the deep web commonly known as the Wall of Shame, as a way of putting pressure on the victim.”
Looking for Street Cred
Nabil Hannan, managing director at NetSPI, a penetration testing company in Minneapolis, maintained that it’s unusual for a ransomware gang to post exfiltrated data on the web without making any ransom demands.
“I would assume this is due to the fact that they weren’t able to hold any critical systems hostage,” he told TechNewsWorld.
“The gang may have been able to encrypt/steal some files or systems that were categorized as non-critical, but they likely knew that they wouldn’t be able to receive any ransom payout for such information,” he surmised.
“Most likely this was an act to get ‘street creds’ and pose that they were able to steal information from such a high profile organization to show their reach and ability to break into any system,” he said.
“This attack and its proximity to the Super Bowl may be a way for BlackByte to gain notoriety and advertise its capabilities to the criminal underground,” Donoso added.
The attack on the 49ers shows that BlackBytes is coming back with a vengeance, maintained Kate Kuehn, senior vice president at vArmour, an application relationship management company in Los Altos, Calif.
“Football is an especially timely, visible target,” she told TechNewsWorld. “The fact that it was the team’s financial data leaked, underscores the traditional financial-based motives of most RaaS attacks.”
The New Mafia
Ian Pratt, global head of security for personal systems at HP, noted that criminals deploying ransomware are becoming increasingly professional and organized.
“They’re supported by a sophisticated underground supply chain that enables rapid innovation, enabling even non-techies to participate,” he told TechNewsWorld.
“Once the preserve of opportunistic individuals who targeted consumers with demands of a few hundred pounds, today cybercriminal gangs operating ransomware make millions from corporate victims,” he said.
Despite the amount of news coverage devoted to ransomware attacks, no amount of awareness seems to stunt their growth, added Chris Olson, CEO of The Media Trust, a website and mobile application security company in McLean, Va.
“Ransomware as a service is the new mafia,” he told TechNewsWorld. “As we are seeing with small players like BlackByte, as the cybercriminal underclass grows so will the black market for ransomware, malware, exploits and sensitive data harvesting.”
But, as was seen with the REvil ransomware group, size and hitting high profile targets can have consequences.
“The larger the group, the more of a footprint they’re likely to have,” Erlin explained. “While individual attackers have been difficult to catch, more organized groups are more susceptible to established international initiatives against organized crime.”
“We should expect to see significant law enforcement action designed to thwart and capture these groups,” he said.