Ransomware Hits the San Francisco 49ers Football Organization | ||
DESCRIPTION | ||
While the San Francisco 49ers were unable to make it to the Super Bowl this year, they still made headlines over the weekend of the big game. The 49ers front office confirmed on Super Bowl Sunday that they were the victim of a ransomware attack and that the ransomware gang, BlackByte had taken credit for the attack the day prior. The attack was typical of the double extorsion attacks witnessed over the past year in which data is first exfiltrated to a third-party site before encrypting the internal systems. BlackByte claims to have stolen financial data from the team’s servers and posted 300 MB of documents on a site located on the dark web as proof of their acquisition. The gang is known for releasing increasing amounts of data as time goes on until the ransomware payment is made. Neither the 49ers nor the perpetrators have publicly mentioned a ransom or alluded to the extent of the encryption attack. The 49ers reported a temporary disruption to parts of their network but said the attack failed to involve stadium and ticket operations. Some security experts believe that attack was a way for BlackByte to attain some ‘street creds’ by pulling off an attack against such a high-profile organization and advertise it during the Super Bowl weekend. | ||
IDENTIFY INDICATORS OF COMPROMISE (IOC) | ||
While BlackByte took credit for the attack, the gang itself may not have implemented the attack itself. BlackByte is a Ransomware as a Service (RaaS) which means that it lets others use its attack software for a share of any successful ransom. BlackByte first came on the scene in July of 2021. The organization’s calling card is to leave a ransom note in every encrypted directory. Their typical attack methodology is to exploit three Microsoft Exchange vulnerabilities that are known ProxyShells. The three vulnerabilities along with their released patches are listed below:
Once the malware infiltrates the network, the ransomware executable operates like a worm using scheduled tasks to propagate itself onto Windows machines. It then moves laterally throughout the network and deploys registry settings to discovered Windows machines. These registry values involve local privilege escalation, network connection sharing and the enablement of long file names. | ||
CONTAINMENT (If IoCs are identified) | ||
The 49ers front office stated that third-party cybersecurity firms had been called in to assist and were engaged in an active investigation. Law enforcement was also notified. Just two days prior to the attack, a joint advisory alert was released by the FBI and the U.S. Secret Service providing information on BlackByte ransomware. | ||
PREVENTION | ||
The attack is another example of how imperative it is to keep systems patched and up to date. Those who have not yet installed the released patches for the ProxyShell vulnerabilities should do so immediately. Some of the other mitigation steps you can take include the following:
| ||
Ensure your Incident Response Readiness in the event of attack. Review your security and risk profile. |
HALOCK Breach Bulletins
Recent data breaches to understand common threats and attacks that may impact you – featuring description, indicators of compromise (IoC), containment, and prevention.