I love watching US football games. One of my fondest sports memories is when the Baltimore Ravens beat the San Francisco 49ers 34-31 in Superbowl XLVII. Players and coaches work immensely hard just to reach the Super Bowl, let alone win it. However, a US National Football League (NFL) team consists of more than simply players and coaches—and the average fan often forgets that fact. A team is also made up of front-office executives, trainers, cafeteria staff, bus drivers, social media personnel and more. Included in this list are IT professionals. Now, readers may wonder why I chose to write about a game that happened almost a decade ago. Well, that is because, depending on who you ask, the San Francisco 49ers recently lost a much more important game: the game of information security.
Who or What Is BlackByte?
The San Francisco 49ers team, one of the NFL’s 32 professional football teams, was hit by a Ransomware-as-a-Service (RaaS) faction called BlackByte.1 This attack occurred mere days after the US Federal Bureau of Investigation (FBI) and the US Secret Service released an Indicators of Compromise (IOC) report stating that BlackByte successfully targeted and exploited US critical infrastructure and non-US entities. According to the report’s summary, “As of November 2021, BlackByte ransomware had compromised multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors (government facilities, financial, and food & agriculture).”2 BlackByte is not the first RaaS organization to exist, and it surely will not be the last. However, the group and its malware have caught the attention of security professionals and football fans alike. The BlackByte brand of ransomware was first noted and reported in July 2021.3
The NFL team responded to the attack, making a statement that included the following:
The San Francisco 49ers recently became aware of a network security incident that resulted in temporary disruption to certain systems on our corporate IT network. Upon learning of the incident, we immediately initiated an investigation and took steps to contain the incident. Third-party cybersecurity firms were engaged to assist, and law enforcement was notified. While the investigation is ongoing, we believe the incident is limited to our corporate IT network; to date, we have no indication that this incident involves systems outside of our corporate network, such as those connected to Levi’s Stadium operations or ticket holders. As the investigation continues, we are working diligently to restore involved systems as quickly and as safely as possible.4
BlackByte’s Success and Motivations
Like other malicious groups, BlackByte uses encryption to render files unreadable. The software targets machines using Windows operating systems, encompassing both physical and virtual servers. The ransomware specifically takes advantage of a previously disclosed Microsoft Exchange vulnerability.
The technical details of the same Internet Crime Complaint Center (IC3) report stated:
The BlackByte executable leaves a ransom note in all directories where encryption occurs. The ransom note includes the .onion site that contains instructions for paying the ransom and receiving a decryption key. Some victims reported the actors used a known Microsoft Exchange Server vulnerability as a means of gaining access to their networks. Once in, actors deploy tools to move laterally across the network and escalate privileges before exfiltrating and encrypting files. In some instances, BlackByte ransomware actors have only partially encrypted files. In cases where decryption is not possible, some data recovery can occur. Previous versions of BlackByte ransomware downloaded a .png file from IP addresses 185.93.6.31 and 45.9.148.114 prior to encryption. A newer version encrypts without communicating with any external IP addresses. BlackByte ransomware runs executables from c:\windows\system32\ and C:\Windows\. Process injection has been observed on processes it creates.5
As is the case for most, if not all, ransomware groups, BlackByte uses sophisticated technical measures to make demands. Now that the who, what and how of BlackByte and its ransomware have been addressed, the question is: Why? Most demands are financially or politically motivated, or both. It has been confirmed that data have been stolen and business continuity was disrupted. What was the motive of the San Francisco 49ers attack and what is the motive of BlackByte as a whole? Does San Francisco, California, USA, a major tech city and home of the RSA security conference, have any significance? Money and politics can and always will be a motive, but other motives are not so clear.
Money and politics can and always will be a motive, but other motives are not so clear.
In addition to launching attacks for financial gain, BlackByte also lends its software to interested malicious parties. In return, BlackByte takes home a share of the illegal profits. With this expansion of threat actors, the types of motives can expand and become muddier as the users of BlackByte ransomware grow. This results in uncertainty when attempting to pinpoint a motive. However, due to BlackByte’s history of previous targets,6 one can speculate, and only speculate, that both money and politics play a part.
Conclusion
Ransomware attacks continue to be a growing threat to government agencies and private enterprises. Although I have discussed the security posture of a single NFL team, this mindset can be applied to how cyberprofessionals approach information security in many aspects. Security has primarily been, and continues to be, an afterthought compared to an enterprise’s primary business objective. Even as an IT security professional, when I sit down to watch US football on Sundays, I am there to root for the Ravens, not to think about a football team’s security posture. So, how can the average fan be expected to think about it? Similar to the majority of organizations, the NFL’s bottom line is the US dollar. And it is certainly not the only enterprise that holds that view.
If the Superbowl can go off without a hitch hours after a team was compromised, did the incident even matter? The answer may vary depending on who you ask. Were there any lessons learned? The San Francisco 49ers’ IT professionals likely learned the importance of timely backups, patching, segmentation and other mitigation techniques. However, those are not really the lessons to which I am referring. What is truly important to understand is the significance and urgency of information security, which start at the top. Information security and awareness must involve the entire organization. Until they do, news stories reporting on events such as BlackByte’s attack on the San Francisco 49ers will be published continuously—and we will be interested for only as long as our brief attention span allows. Then the cycle repeats and we are back where we started. The breaking news story may be different, but the message remains the same.
Endnotes
1 Vaas, L.; “BlackByte Tackles the SF 49ers & US Critical Infrastructure,” Threatpost, 14 February 2022
2 Federal Bureau of Investigation and US Secret Service, Indicators of Compromise Associated With BlackByte Ransomware, USA, 11 February 2022
3 Op cit Vaas
4 Ibid.
5 Op cit Federal Bureau of Investigation and US Secret Service
6 Ibid.
Kevin Keh, CDPSE, CSX-P, CEH
Is the principal of IT Professional Practices at ISACA. In this role, he develops and facilitates a variety of IT-related thought leadership. He also serves ISACA® departments as a subject matter expert by generating ideas and deliverables relevant to ISACA’s constituents. Prior to this role, Keh was part of ISACA’s cyberengineering team, building live and holistic lab environments and creating supplemental hands-on cybersecurity content.