Blackbyte ransomware hits San Francisco 49ers ahead of Super Bowl

Hours before the Super Bowl kicks off, the San Francisco 49ers were added to the list of victims of the Blackbyte ransomware group. The San Francisco 49ers were within a few plays of making it to the Super Bowl two weeks ago.

The team did not respond to requests for comment but confirmed the attack to The Record and Bleeping Computer. The San Francisco 49ers showed up on the group’s leak site late Saturday evening and said in a statement that only its corporate IT network was affected by the attack. 


Law enforcement has been contacted and the company said it is still in the process of investigating the incident. The attack comes just one day after the FBI released a warning about the BlackByte ransomware group. 

“As of November 2021, BlackByte ransomware had compromised multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors (government facilities, financial, and food & agriculture). BlackByte is a Ransomware as a Service (RaaS) group that encrypts files on compromised Windows host systems, including physical and virtual servers,” the FBI said. 

“Some victims reported the actors used a known Microsoft Exchange Server vulnerability as a means of gaining access to their networks. Once in, actors deploy tools to move laterally across the network and escalate privileges before exfiltrating and encrypting files. In some instances, BlackByte ransomware actors have only partially encrypted files.”

The group emerged last year but cybersecurity company Trustwave was able to make a BlackByte decryptor available for download at GitHub in October. 

Research by the company showed that the first version of the BlackByte ransomware downloaded and executed the same key to encrypt files in AES — rather than unique keys for each session — like those usually employed by more sophisticated ransomware operators. A second, less vulnerable version of the ransomware was released in November, as the FBI noted. 

Emsisoft ransomware expert Brett Callow said Blackbyte is a Ransomware-as-a-service (RaaS) operation and the individuals who use it to carry out attacks may or may not be based in the same country as the primary team. 

“Like multiple other types of ransomware, Blackbyte does not encrypt computers which use the languages of Russia and post-Soviet countries,” Callow said.  

A Red Canary analysis of the ransomware found operators gained initial access by exploiting the ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) present on a customer’s Microsoft Exchange server. 

Don't forget to share

You may also like...

Leave a Reply

Your email address will not be published.