San Francisco 49ers hit by ransomware attack

San Francisco 49ers life size helmet outside Levi's Stadium
(Image credit: / Ken Wolter)

The San Francisco 49ers NFL team was hit by a major ransomware attack on the day of the Super Bowl.

The organization confirmed to ZDNet that it had been hit by the BlackByte ransomware group, but the attack itself was fortunately somewhat limited. 

In a statement confirming the incident, the 49ers said it “recently became aware of a network security incident” that disrupted its corporate IT network, but nothing more.

Leaking data

"Upon learning of the incident, we immediately initiated an investigation and took steps to contain the incident. Third-party cybersecurity firms were engaged to assist, and law enforcement was notified," the statement added.

"While the investigation is ongoing, we believe the incident is limited to our corporate IT network; to date, we have no indication that this incident involves systems outside of our corporate network, such as those connected to Levi's Stadium operations or ticket holders. As the investigation continues, we are working diligently to restore involved systems as quickly and as safely as possible."

The ransomware operators own a leak website where they advertise the data stolen from compromised endpoints that they plan on leaking to the public, with the San Francisco 49ers data reportedly appearing on the site late Saturday evening, just hours before the Super Bowl.  

ZDNet also hints that the FBI probably knew about the hack in advance, as the law enforcement agency issued a warning about BlackByte just a day before the incident was made public.

"As of November 2021, BlackByte ransomware had compromised multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors (government facilities, financial, and food & agriculture). BlackByte is a Ransomware as a Service (RaaS) group that encrypts files on compromised Windows host systems, including physical and virtual servers," the FBI had warned. 

"Some victims reported the actors used a known Microsoft Exchange Server vulnerability as a means of gaining access to their networks. Once in, actors deploy tools to move laterally across the network and escalate privileges before exfiltrating and encrypting files. In some instances, BlackByte ransomware actors have only partially encrypted files."

BlackByte, a Ransomware-as-a-service (RaaS) operation, was established sometime last year. The master key (a decryptor, basically), was made available in October 2021 by cybersecurity researchers from Trustwave.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.