A US National Football League (NFL) team, the San Francisco 49ers, was recently subject to a targeted attack online.

The infamous ransomware outfit that goes by the name BlackByte has claimed responsibility for the attack and has boasted that it stole data related to the US football organisation during the intrusion.

Actions taken following the ransomware assault

The 49ers confirmed the cyberattack in a recent statement, stating that the incident had caused temporary disruptions to particular parts of its dedicated IT network. Although it did not confirm if the hackers behind the attack had successfully dropped the ransomware payload encrypting systems, a spokesperson for the team commented that the organisation was currently in the process of system recovery. This information indicates that some of the NFL team’s devices were possibly encrypted during the attack.

In a statement, the 49ers commented:

“The San Francisco 49ers recently became aware of a network security incident that resulted in temporary disruption to certain systems on our corporate IT network. Upon learning of the incident, we immediately initiated an investigation and took steps to contain the incident. While the investigation is ongoing, we believe the incident is limited to our corporate IT network.”

It added that as of yet, there was no sign the attack had involved any systems beyond its corporate network, including networks connected to operations and ticket holders at Levi Stadium. Furthermore, the team confirmed that it had engaged third-party security firms to assist with the incident and that all appropriate law enforcement agencies had been duly notified.

The BlackByte ransomware gang and its attack methods

To perform a ransomware attack, gangs must breach a company network and then spread laterally to other connected devices while simultaneously assessing and stealing valuable data. The threat operators ultimately drop malware that entirely encrypts all network devices while posting ransom notes that demand a payment to be made in cryptocurrency for access to a decryptor.

Double extortion techniques used today typically see ransomware gangs use the files stolen initially as leverage, issuing threats of their release if a ransom payment request is refused.

As the NFL prepared for Super Bowl Sunday on Sunday, February 13, the BlackByte ransomware group claimed the attack as its own work and started to leak files its allegedly stole during the strike. The leaked information in question contained 292MB worth of archive files that, according to the gang, contains 49ers invoices.

The BlackByte gangs typical modus operandi involves releasing its victims’ confidential data incrementally in ever greater uploads to drive them to pay requested ransoms. It commonly uses known vulnerabilities that have been left unpatched to gain a foothold in corporate networks, demonstrating how vital it is to install the latest available updates for operating systems and apps.

The gang entered the ransomware scene in July 2021 and immediately started targeting corporate victims around the world. While not the most active of gangs in comparison to other ransomware operators, BlackByte still has many successful attacks under its belt.