I. Targeted Entities

  • San Francisco 49ers

II. Introduction

Just before the Super Bowl kicked off, and two days after the FBI warned about the cybercriminals, BlackByte leaked what seems to be the 49ers’ team files.

III. Background Information

The 49ers were recently on the receiving end of a BlackByte ransomware attack that temporarily affected the team’s corporate IT network on Super Bowl Sunday.[2] BlackByte is a ransomware-as-a-service (RaaS) gang that leases its ransomware to affiliates who share the ransomware profits; they claimed responsibility for the attack by leaking files allegedly stolen in the assault. The 49ers confirmed the attack to Threatpost the following Monday.[2] The 49ers consulted with third-party cybersecurity firms for assistance and also notified law enforcement. As of Monday, the team was still investigating, but it appears as though the intrusion was limited to the 49ers’ corporate IT network and did not affect ticket systems or systems at the 49ers’ stadium, Levi Stadium.[2] According to Joseph Carson, chief security scientist and advisory CISO at Delinea, it is likely that an affiliate hacked the 49ers, as opposed to BlackByte, given that BlackByte is an RaaS.[2]

BlackByte recently posted some files that seem to have been stolen from the team on a dark website in a file called 2020 Invoices.[2] BlackByte has not made its ransom demands public, nor have they specified how much data they stole or encrypted. Joseph Carson says that the timing of this attack makes this a case of cybercriminals preying on a major event, where attackers can get unsuspecting victims “to click on links, download and execute malicious software or give over their credentials, thinking they are accessing legitimate internet services, resulting in cybercriminals gaining initial access to networks and services.”[2]

The attack comes two days after the FBI and Secret Service released a joint TLP: WHITE cybersecurity advisory saying that BlackByte ransomware had breached the networks of at least three organizations from U.S. critical infrastructure sectors (government facilities, financial, and food & agriculture) in the last three months.[2]

BlackByte was first seen in July 2021 when it started victimizing organizations by exploiting known Microsoft Exchange vulnerabilities to worm its way into environments.[2] BlackByte was successful for a time, scoring wins against manufacturing, healthcare, and construction industries in the U.S., Europe, and Australia, but BlackByte hit a wall when Trustwave released a free decryption tool that allowed BlackByte victims to free their files.[4] BlackByte’s auction site has been considered a house of mirrors because the site claims to contain exfiltrated data from victims, but the ransomware itself doesn’t have the ability to exfiltrate data. This is done, most likely, to scare their victims into obeying their demands.[2]

Erich Kron, security awareness advocate at KnowBe4, focused on the FBI warning about BlackByte’s success in penetrating the critical infrastructure sector, which has been “plagued” by ransomware attacks.[2] Kron says that the critical nature of the systems means that it is imperative that the systems come back online quickly, which increases the likelihood that the victim pays the ransomware. Kron also says that the critical nature of the infrastructure also increases law enforcement attention, but that law enforcement busts have a low success rate, meaning that the groups are willing to take that risk.[2] Kron blames limited budgets, aging equipment, and shortages in cybersecurity staff for making critical infrastructure and many government entities susceptible to ransomware attacks.[2]


  • T1590 – Gather Victim Network Information
    Attackers focus on gathering information using ransomware attacked to collect data of the users through network systems.
  • T1027 – Obfuscated Files or Information
    Attackers use tools that download files to systems using encryption keys and store data information through the network of the systems.
  • T1213 – Data From Information Repositories
    Ransomware attacks are used to collect a wide variety of information and data during exchanged between users.

V. Recommendations

  • Phishing Awareness Training
    Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should alsobe educated about new types of attacks and schemes to mitigate risk.
    Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
  • Set Antivirus Programs to Conduct Regular Scans
    Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures.
  • Malware Monitoring
    Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
  • Strong Cyber Hygiene
    Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified.
    Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
  • Turn on Endpoint Protection
    Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.

VI. Indicators of Compromise (IOCs)

The link below has been included to assist with the download of some identified IOCs related to this Threat Advisory report. Be on the lookout for these IOCs, as well as anything that looks similar.


VII. References

(1) FBI, Secret Service, ed. “Indicators of Compromise Associated with BlackByte Ransomware.” Internet Crime Compliant Center IC3, February 11, 2022. https://www.ic3.gov/Media/News/2022/220211.pdf.

(2) Vaas, Lisa. “BlackByte Tackles the SF 49ers & US Critical Infrastructure.” Threatpost English Global, February 14, 2022. https://threatpost.com/blackbyte-tackles-the-sf-49ers-us-critical-infrastructure/178416/.

Threat Advisory created by the Cyber Florida Security Operations Center.
Contributing Security Analysts: Dorian Pope, Ipsa Bhatt, Sreten Dedic, EJ Bulut, Uday Bilakhiya, Tural Hagverdiyev.