Hours earlier than the Tremendous Bowl kicks off, the San Francisco 49ers have been added to the record of victims of the Blackbyte ransomware group. The San Francisco 49ers have been inside a couple of performs of creating it to the Tremendous Bowl two weeks in the past.
The group didn’t reply to requests for remark however confirmed the assault to The Document and Bleeping Laptop. The San Francisco 49ers confirmed up on the group’s leak website late Saturday night and mentioned in a press release that solely its company IT community was affected by the assault.
Legislation enforcement has been contacted and the corporate mentioned it’s nonetheless within the strategy of investigating the incident. The assault comes simply someday after the FBI launched a warning in regards to the BlackByte ransomware group.
“As of November 2021, BlackByte ransomware had compromised a number of US and overseas companies, together with entities in no less than three US crucial infrastructure sectors (authorities services, monetary, and meals & agriculture). BlackByte is a Ransomware as a Service (RaaS) group that encrypts information on compromised Home windows host programs, together with bodily and digital servers,” the FBI mentioned.
“Some victims reported the actors used a recognized Microsoft Change Server vulnerability as a method of getting access to their networks. As soon as in, actors deploy instruments to maneuver laterally throughout the community and escalate privileges earlier than exfiltrating and encrypting information. In some cases, BlackByte ransomware actors have solely partially encrypted information.”
The group emerged final yr however cybersecurity firm Trustwave was in a position to make a BlackByte decryptor out there for obtain at GitHub in October.
Analysis by the corporate confirmed that the primary model of the BlackByte ransomware downloaded and executed the identical key to encrypt information in AES — relatively than distinctive keys for every session — like these normally employed by extra subtle ransomware operators. A second, much less weak model of the ransomware was launched in November, because the FBI famous.
Emsisoft ransomware professional Brett Callow mentioned Blackbyte is a Ransomware-as-a-service (RaaS) operation and the people who use it to hold out assaults could or is probably not primarily based in the identical nation as the first group.
“Like a number of different forms of ransomware, Blackbyte doesn’t encrypt computer systems which use the languages of Russia and post-Soviet nations,” Callow mentioned.
A Crimson Canary evaluation of the ransomware discovered operators gained preliminary entry by exploiting the ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) current on a buyer’s Microsoft Change server.
