Image credit: https://www.gettyimages.ca/photos/ezra-shaw-49ers
After falling short in the NFL Conference Championship, the San Francisco 49ers football franchise was recently hit with another blow; but this time off the field. On February 13, 2022, the organization was reportedly a victim of a ransomware attack by BlackByte [1].
What is ransomware?
Ransomware is a type of malware which attacks files on the computer system by encrypting them. To decrypt the files, the attacker typically asks for a ransom [2].
Who is BlackByte?
BlackByte is Russian ransomware gang that has been targeting corporate organizations since July 2021. They operate as ransomware-as-a-service (RaaS) which means they rent out ransomware software to others for a percent of the ransom [3]. The RaaS operation makes tracking the attackers difficult, because the operators can use the malware from anywhere. Although, their first ransomware version was not too complicated, it appears their second version is much stronger and has been used to target “at least three US critical infrastructure sectors (government facilities, financial, and food & agriculture)” according to the FBI on February 11 [1].
Image credit: https://www.hackread.com/blackbyte-ransomware-san-francisco-49ers/
The ransomware gang appeared to have used Microsoft Exchange Server, a mail server, to gain access to the team’s networks. They then moved “laterally across the network and escalate[d] privileges before exfiltrating and encrypting files” according to the FBI alert [1]. Escalating privileges refers to an attack that increases privileges to give the attacker higher levels of control [4]. The security breach remained in their IT networks and doesn’t seem to impact the stadium operations or season ticket holders. However, the ransomware gang gained access to some of the team’s financial data, including a file named “2020 Invoices” that was leaked on their website on the dark web. It is unclear how much of the data has been encrypted and if an incident response company has been hired to help with the ransomware investigation [5].
What are authorities doing about this?
Although the FBI issued an alert about BlackByte, there isn’t too much that can be done at the moment due to the anonymous nature of the RaaS operation. The trend towards more RaaS operating groups brings more challenges for corporate organizations around the world, but certain measures can drastically reduce the likelihood of a ransomware attack.
According to the FBI and US Secret Service [6], some of these measures include:
- Implementation of network segmentation so the malware cannot spread throughout all computer on the network.
- Installation of updated antivirus software.
- Disabling of hyperlinks on incoming emails.
- Regular backup of data which is stored offline with password protection.
- Making sure offline copies cannot be modified from the original machine.
The monetary gain currently outweighs the risks of severe consequences for their actions. This should not be the case. With ransomware on the rise in 2021, the US Department of Justice has made progress by forming the Ransomware and Digital Extortion Task Force [7], but clearly the efforts have not been enough to deter ransomware gangs.
References
[1]: https://www. hackread.com/blackbyte-ransomware-san-francisco-49ers/
[2]: https://www.mcafee.com/enterprise/en-ca/security-awareness/ransomware.html
[3]: https://techcrunch.com/2022/02/14/blackbyte-critical-infrastructure-ransomware/#:~:text=BlackByte%20is%20a%20ransomware%2Das,to%20target%20corporate%20victims%20worldwide.
[4]: https://www.beyondtrust.com/blog/entry/privilege-escalation-attack-defense-explained
[5]: https://www.msspalert.com/cybersecurity-breaches-and-attacks/ransomware/49ers-ransomware-attack-details-and-recovery-update/
[6]: https://www.bleepingcomputer.com/news/security/fbi-blackbyte-ransomware-breached-us-critical-infrastructure/
[7]: https://techcrunch.com/2021/12/30/the-year-the-tide-turned-on-ransomware/
Interesting post! I have never heard about this kind of malware. It’s like they kidnap important information of a certain organization and then ask for money. Seems like authorities currently have no clue about how to deal with this type of ransomware attacks. I hope organizations will have more ideas about how to protect their company files in more efficient way.
Good post , i like the way that you introduced the news while defining some new concepts that are personally new to me .
The details in this post made it easier for us to understand and react to the news.
Good job !
This is an interesting post, this kind of malware attack seems hard to deal with and it appears that the FBI doesn’t really have a clue on what to do about it. I think that this can be frightening since Ransomware will disable your files by encrypting them and it seems like the only way to get it back is to pay a ransom to decrypt the files.
I find ransomware as a service to be a very interesting concept, especially as described here. In class we discussed the idea that malware production has to be possible, but I don’t see the value in renting it out for a percentage of the ransom, given that one could just take the entire ransom themselves. I suppose it would make sense if a flat fee is required beforehand regardless of any ransom earnings, but I wonder whether BlackByte is sacrificing any earnings by not just infecting others directly.
I think events like these just speak to the idea that organized crime is alive and well, though, and its gone digital. With how widespread PCs and phones are, the opportunities for extortion are endless, and I wouldn’t be surprised if there are many more “cyber gangs” like BlackByte floating around. I’d be curious to see how security recommendations (like those listed in the post) evolve as this becomes more of an issue.
The idea of “renting” out malware somewhat amuses me, as it had never occurred to me before that this is something people would do. I had before assumed that whoever made the malware would be the person using it. I guess renting malware out to multiple groups would make sense, as they can use the malware in many places at the same time, and perhaps there would be less of a chance that the malware gets traced back to the creator.
This is a fantastic article! It’s fascinating to observe how these scammers come up with new ways to defraud people without thinking about or considering the consequences. However, until the government devises a failsafe solution, it would be hard to put a stop to these ransomware gangs. Until then, it is our obligation to stay secure and keep our computers secured. You’ve listed several excellent precautions recommended by the FBI and US secret services, but I’d like to suggest a couple more: avoid dubious downloads and keep your operating system up to date. If someone is infected with ransomware, they should not pay the ransom and should call a professional as soon as possible.
This is an amazing post, this sort of malware assault appears hard to manage and apparently nobody doesn’t actually have an idea on what to do regarding it. I imagine that this can be startling since Ransomware will debilitate your documents by scrambling them and it seems like the best way to protect our data is to take precautions which you provided
Great Post! In the attack the ransomware was not specifically mentioned, nor was whether or not any of teams’ systems had actually been encrypted. Acknowledging that the team is “working diligently to restore involved systems” may well indicate that the attackers successfully deployed malware.
It’s worrying that so little can be done to track down organizations like BlackByte because of their anonymity and because they’re in foreign jurisdiction. I think the creation of a specialized team to deal with ransomware is a good idea, because maybe it will encourage other countries to do the same and increase the general safety of the internet as a whole, internationally. Good post!
Given the timing of this hack and the fact that the ransomware gang is Russian I wonder if the perpetrators had a political goal in mind when the requested the attack. Additionally the fact that ransomware is up for grabs essentially for a commission fee is alarming and will most definitely lead to even more attacks in the future. Like a lot of cyber crime it will be difficult for the authorities to find the perpetrators. Hopefully companies will implement increased security measures backup their files often enough that a ransomware attack does not affect them greatly.
Good Post! While the attack against the 49ers was indeed harmful, I’m glad that it wasn’t launched against a more critical organization. The fact that the FBI reported that this ransomware has been used against government, financial and agricultural sectors is rather worrying. With the increased measure of anonymity gained from RasS operations, I can see why there has been a sharp increase in the number of recent ransomware attacks, the added anonymity downplays the consequences of launching an illegal attack. If the authorities cannot identify the attacking group or any of its members, then there is an increased incentive to launch as many attacks as possible, without fear of being caught.
Very interesting post. Ransomware has always been one of the major hidden dangers of network security. I understand from your article that the FBI does not have a very good way to deal with ransomware. In my opinion, ransomware is no different from kidnapping and extortion, even more terrifying. While the police can deal with the kidnappers to get a chance to rescue them, ransomware is only a way to pay, and even the U.S. Department of Justice is not enough to organize ransomware gangs.
Sighhh another ransomware attack and also carried out by Russia. I am not sure if it is just my luck or if there are an increase in cyberattacks carried out from Russia recently, but i have seen a lot more news about them. This might also have to do with he political situation at the moment where these attacks are given more of a spotlight. It’s troubling to see that these type of crimes are rising and getting bolder and bolder with who the victims are, ( I guess that makes sense since the bigger the company the greater the monetary incentive is). Great post!