San Francisco 49ers catch ransomware, sample files leaked online

American football team the San Francisco 49ers have been hit by ransomware, with the criminals responsible claiming to have stolen corporate data and threatened to publish it.

Calling itself Blackbyte, the ransomware gang responsible published samples of stolen documents on a dark web blog over the weekend, as seen by The Register. About 300MB of files were present on the publicity site used by Blackbyte and are thought to include recent internal finance data for the team.

The 49ers said law enforcement and "third-party cybersecurity firms" were on the case and acknowledged the security breach in a statement on Sunday, saying: "To date, we have no indication that this incident involves systems outside of our corporate network, such as those connected to Levi’s Stadium operations or ticket holders."

The intrusion and theft came to light days after US law enforcement agencies, including the FBI and Secret Service, issued an alert warning American companies of the threat posed by BlackByte. That warning stated that the gang had "compromised multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors."

"The BlackByte executable leaves a ransom note in all directories where encryption occurs," continued the Feds' advisory [PDF]. "The ransom note includes the .onion site that contains instructions for paying the ransom and receiving a decryption key. Some victims reported the actors used a known Microsoft Exchange Server vulnerability as a means of gaining access to their networks."

• Ransomware crew dumps stolen Optionis files online
• Nothing to scoff at: Crisps and nuts biz KP Snacks smacked in ransomware hack attack
• UK, US, Australia issue joint advisory: Ransomware on the loose, critical national infrastructure affected
• How ransomware gangs went pro

The sports team becomes just the latest in a long line of extortionware victims over recent years. Ransomware is now regarded as one of the leading threats to enterprise cybersecurity, with criminals using customized malware to infect corporate networks, steal and encrypt data, and demand a ransom to unlock it and not publish it online.

Various ransomware gangs have renamed themselves over time to avoid attracting international law enforcement attention. One such example was the Blackmatter gang, which rebranded twice in 2021 – both times claiming to have shut itself down. The gang is not believed, at the time of writing, to have any links with the BlackByte criminal crew. ®