San Francisco 49ers’ Jimmie Ward, left, is called for a penalty kick as he hits Los Angeles Rams’ Odell Beckham Jr. during the NFC Championship Game, Inglewood, Calif., January 30, 2022.
AP Photo/Mark J. Terrill
RICHMOND, Va. (AP) — The San Francisco 49ers have been hit by a ransomware attack, with cybercriminals claiming to have stolen some of the football team’s financial data.
The BlackByte ransomware gang recently posted some of the allegedly stolen team documents on a dark website in a file titled “2020 Invoices”. The gang has not made any of its ransom demands public or specified how much data it has stolen or encrypted.
The team, which is one of the most valuable and legendary franchises in the NFL and lost a close playoff game two weeks ago, said in a statement Sunday that it had recently become aware of an “incident network security” that had disrupted some of its corporate IT services. The 49ers said they notified law enforcement and hired cybersecurity firms to help.
“At this time, we have no indication that this incident involves systems outside of our corporate network, such as those connected to Levi’s Stadium operations or ticket holders,” the team said in a statement, referring to his stage of origin.
News of the attack comes two days after the FBI and US Secret Service issued an alert on BlackByte ransomware, saying it had “compromised multiple US and foreign businesses, including entities in at least three business sectors. ‘American critical infrastructure’ since November.
Ransomware gangs, which hack into targets and hold their data hostage through encryption, have wreaked widespread havoc over the past year with high-profile attacks on the world’s largest meatpacking company, the largest US fuel pipeline and other targets. Western governments have pledged to crack down on cybercriminals, who operate primarily in and around Russia but have little to show for their efforts.
In the past month, ransomware victims have included maritime fuel depot operators in Belgium and Germany and media outlets in Portugal. A cyberattack on wireless service provider Vodafone in Portugal last week had all the hallmarks of ransomware, although the company’s CEO for Portugal said he had not received any ransomware requests.
BlackByte is a ransomware-as-a-service group. That means it’s decentralized, with independent operators developing the malware, hacking organizations, or fulfilling other roles. This is part of a trend of increasing professionalization of ransomware groups. A recent report by the FBI, NSA and others said ransomware operators are even setting up an arbitration system to resolve payment disputes between them.
Brett Callow, a threat analyst at cybersecurity firm Emisoft, said BlackByte’s malware, like many ransomware variants, is hard-coded to not encrypt systems that use Russian or languages used by some. Russian allies.
But Callow said that doesn’t mean whoever is behind the 49ers attack is in Russia or any of its neighbors.
“Anyone can use the malware to launch attacks,” he said.