Threat actors leveraging BlackByte ransomware claimed to have exfiltrated data in an attack targeting the San Francisco 49ers (49ers) of the National Football League. The method of intrusion has not yet been disclosed, and the ransom demand is unknown. A statement made by the 49ers indicates that it believes the attack is limited to its own corporate network and has not spread to third-party affiliates. The ransomware strain, identified as early as July 2021, operates as part of a ransomware-as-a-service (RaaS) operation and is known to leverage double extortion tactics to pressure victims into making ransom payments. ZeroFox has detected approximately 50 BlackByte victims since its initial identification, predominantly targeting organizations in the manufacturing, retail, and construction industries, and typically targeting those based in the U.S.-Canada region.
BlackByte Ransomware: Analyst Commentary
Reporting indicates that on February 12, 2022, the San Francisco 49ers confirmed they had been impacted by a “network security incident that resulted in a temporary disruption to certain systems” on their corporate network. On the evening of February 12, 2022, the BlackByte ransomware group claimed responsibility for the incident, listing the National Football League team as a victim on their dark web leak site, and began leaking files they claimed to have stolen; while the initial leak is a 292MB archive file that threat actors are claiming are stolen 2020 invoices, it is highly likely that they have stolen considerably more data and are using this sample as proof of compromise in double extortion tactics. BlackByte has been observed stealing gigabytes of data from previous victims.
The method of intrusion has not yet been disclosed. However, reporting indicates that BlackByte operators typically target Windows-based networks by leveraging vulnerabilities to gain access to corporate networks. BlackByte operators have been known to leverage a suite of ProxyShell Microsoft Exchange Server vulnerabilities as an intrusion vector. After gaining initial access to a network, threat actors tend to move laterally throughout a network and attempt to gain access to accounts with higher privileges through privilege escalation efforts before exfiltrating and encrypting files. In statements made by the 49ers, the incident is believed to have been limited to their corporate IT network, with no indication that it is spread to third-party affiliates. The ransom demand made to the 49ers is currently not known.
The attack took place the day before SuperBowl LVI and the day after the FBI issued an advisory warning about the prevalence of BlackByte ransomware. It is likely the authorities had advanced warning of, or suspected an attack may be scheduled to take place over SuperBowl LVI weekend. The FBI advisory is also likely to contain tactics and indicators of compromise from the current 49ers attack. ZeroFox has included a sample of possible indicators of compromise at the end of this report; see the FBI’s alert for full details.
Reporting indicates that BlackByte ransomware was identified as early as July 2021. ZeroFox has detected approximately 50 BlackByte victims since its launch, targeting organizations in the manufacturing, retail, and construction industries, and typically targeting those based in the U.S.-Canada region. In October 2021, a free decryptor was released on GitHub after the BlackByte operation reused the same encryption key in multiple attacks, allowing some victims to recover their files for free. Threat actors later rectified the encryption reuse mistake.
Reporting indicates that BlackByte operates a RaaS operation where ransomware is rented to affiliates who deploy the malware against victims. These affiliates exfiltrate files from compromised networks, which the BlackByte gang uses as leverage in negotiations, threatening victims that they will release the stolen files on a dark web leak site if they fail to pay ransom demands.
- Back up critical data regularly, including password-protected backup copies kept offline.
- Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, or the cloud).
- Ensure proper network segmentation.
- Patch disclosed vulnerabilities with updated software versions as quickly as practical.
- Disable PowerShell wherever possible to limit the possibility of operators employing lateral movement modules.
- Never download email attachments from unknown senders or click links from untrusted sources. Provide user training programs to fight against phishing or social engineering attacks used to obtain critical information that can lead to system compromise.
- Enable multi-factor authentication wherever possible.
- Disable unused remote access/RDP ports and monitor remote access/RDP logs.
- Leverage threat intelligence services and maintain situational awareness of Tactics, Techniques, and Procedures related to ransomware groups.
Indicators of Compromise
schtasks.exe /DELETE /TN "\"Raccine Rules Updater\"" /F cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded powershell.exe Set-MpPreference -EnableControlledFolderAccess Disabled cmd.exe /c netsh advfirewall firewall set rule "group=\"Network Discovery\"" new enable=Yes HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f powershell.exe Install-WindowsFeature -Name \"RSAT-AD-PowerShell\" –IncludeAllSubFeature powershell.exe Import-Module ActiveDirectory;Get-ADComputer -Filter * -Properties * | FT Name cmd.exe /c powershell -command "$x = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String ('VwBpA'+'G4ARAB'+'lAGYA'+'ZQB'+'uAG'+'QA'));Stop-Service -Name $x;Set-Service -StartupType Disabled $x" powershell.exe $x = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String ('RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAg'+'AFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8AC'+ 'AARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkA'+'F8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA=='));Invoke-Expression $x