BlackByte Gang Launches Ransomware Attack on San Francisco 49ers

BlackByte is a growing ransomware operator.

Edward Gately, Senior News Editor

February 14, 2022

3 Min Read

The BlackByte ransomware gang has launched a ransomware attack against the San Francisco 49ers, claiming it stole some of the football team’s financial data.

According to the Associated Press, BlackByte made the claim after posting stolen team documents on a dark web site in a file marked “2020 Invoices.”

The gang reportedly did not make any of its ransom demands public, or specify how much data it stole or encrypted.

In a statement on Sunday, the 49ers said the network security incident disrupted some of its corporate IT network systems. The team since has notified law enforcement and hired cybersecurity firms to help.

The 49ers said the there’s no indication that the ransomware attack involves systems outside of its corporate networkings.

Ransomware Increasingly Professional, Organized

Ian Pratt is HP‘s global head of security for personal systems.


HP’s Ian Pratt

“Criminals deploying ransomware are becoming increasingly professionalized and organized, supported by a sophisticated underground supply chain that enables rapid innovation, enabling even non-techies to participate,” he said. “Today, cybercriminal gangs operating ransomware make millions from corporate victims.

It’s vital to limit the impact of a breach by building resilience in from the hardware up, Pratt said.

“By adopting zero trust principles, organizations can mitigate risk by securing critical systems, based on principles of least privilege, strong identity, mandatory access control and strong isolation,” he said.

Zero trust helps organizations stop attackers from escalating their access, and mitigate the impact of ransomware attacks.

Matthew Warner is CTO and co-founder of Blumira.


Blumira’s Matthew Warner

“BlackByte is a growing ransomware operator that has had success following successful patterns implemented by previous groups,” he said. “Similar to Conti ransomware, BlackByte has been identified using Exchange vulnerabilities such as ProxyShell to gain a foothold in environments. Additionally BlackByte utilizes well-proven tactics such as Powershell exploitation of obfuscated base64 content to perform all encryption on hosts once exploited.”

In the end, BlackByte is by no means more sophisticated than other actors in the ransomware universe, Warner said. Instead, it’s the next up-and-coming player to exploit organizations and their data.

BlackByte and similar ransomware operators’ successful attacks continue to show the importance of patching and reducing your internet-facing attack surface.

BlackByte Creators Likely Not Culprits

Joseph Carson is chief security scientist and Advisory CISO at Delinea. He said BlackByte is a ransomware-as-a-service (RaaS) gang.


Delinea’s Joseph Carson

“This means that it is likely not the creators of the ransomware who hacked into the 49ers, but rather an affiliate who in return for access to the ransomware they pay back in royalties,” he said. “This latest incident is a reminder of the importance of being incident response ready, having a solid backup and recovery strategy that includes ransomware mitigation, along with strong identity and access security controls.”

Tim Erlin is Tripwire‘s vice president of strategy.


Tripwire’s Tim Erlin

“The increasing professionalization of ransomware groups is an outcome of ransomware’s success as a tool,” he said. “More organized, professional groups increase the threat, but they also change the landscape for law enforcement. Organized criminal groups are not new, and the larger the group, the more of a footprint they’re likely to have.”

Law enforcement are actively seeking to thwart and capture these groups, Erlin said.

Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn.

Read more about:


About the Author(s)

Edward Gately

Senior News Editor, Channel Futures

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like