Business Continuity Management / Disaster Recovery , Cybercrime , Cybercrime as-a-service
BlackByte Ransomware Hits San Francisco 49ers' IT Systems
Ransomware-as-a-Service Group Confirms Attack on Its Leak SiteDays after the Federal Bureau of Investigation and the U.S. Secret Service issued a cybersecurity advisory on the ransomware-as-a-service group BlackByte, the group hit the corporate IT network of the National Football League's San Francisco 49ers team on Sunday.
See Also: Critical Condition: How Qilin Ransomware Endangers Healthcare
BlackByte boasted of its successful "network security incident" on its leak site. A representative of the football team has not responded to Information Security Media Group's request for attack confirmation and additional details.
The incident did not affect computer systems involved with stadium operations or ticket holders, the team told CNN. It said that steps were being taken to contain the attack's spread, a third-party cybersecurity services provider had been hired to lead the recovery and restoration process and an investigation into the incident had been launched.
As of November 2021, BlackByte ransomware had affected businesses internationally, including government, financial, and food and agriculture entities that are deemed to be critical infrastructure in the U.S, according to the cybersecurity advisory. "The group encrypts files on compromised Windows host systems, including physical and virtual servers," it says.
Juicy Targets
High-profile global sporting events draw the attention of hackers, says Sam Curry, chief security officer of cybersecurity firm Cybereason. The FBI recently warned athletes competing in the Olympics to use burner phones while in Beijing to reduce the likelihood of identity theft, he says, and they also warned of a likely increase in DDoS, ransomware and phishing attacks against the International Olympic Committee's network and related sites.
"With the reported ransomware attack on the San Francisco 49ers making headlines on Super Bowl Sunday, unless evidence down the road points to a targeted attack, it’s far more likely that this was a drive-by attack that landed on a big-profile victim," Curry tells ISMG.
"What most ransomware organizations want is a high ability to pay, which is a function of money available and critical or even life-supporting services. The last thing they want is a big splash victim who doesn’t pay," he says.
And Joseph Carson, chief security scientist at privileged access management platform provider Delinea, says, "During major events, cybercriminals take advantage of unsuspecting victims, convincing them to click on links, download and execute malicious software or hand over their credentials, assuming it is for access to a legitimate internet service. This results in cybercriminals gaining initial access to networks and services. Once access is compromised, it is only a matter of time before ransomware is deployed."
On the other hand, Carson says, it is unlikely that the creators of the ransomware hacked into the 49ers. It was probably done by an affiliate, who in return for access to the ransomware, paid back royalties to the creators, he says.
Organizations should never let their guard down when it comes to ransomware, even when major hacking gangs are apparently going offline, Christos Betsios, cybersecurity officer at security firm Obrela Security Industries, says. "Organizations should focus on defenses that stop ransomware getting onto systems, carry out network segmentation, run regular incident response training and try to keep backups offline if they want to prevent an incident like this," he says.
Analyzing BlackByte
BlackByte was launched in the middle of last year, and like multiple other ransomware families, it's coded to avoid encrypting systems that use the languages of Russian or other post-Soviet countries, Brett Callow, threat analyst at the cybersecurity firm Emsisoft, tweeted.
The SF #49ers have confirmed a "a network security incident" after being listed by #ransomware operation BlackByte 1/4 pic.twitter.com/Rm9L7zm3Hg
— Brett Callow (@BrettCallow) February 13, 2022
Several ransomware operators, BlackByte among them, are said to force victims to pay by using data leak sites, which are reachable only via the anonymizing Tor network.
Upon successful infiltration, the threat actor deploys tools to move laterally across the network and escalate privileges before exfiltrating and encrypting files, the law enforcement advisory says. In some instances, BlackByte ransomware actors have only partially encrypted files. In cases where decryption is not possible, some data recovery can occur, the advisory says.
The group delivers malware into a system using a JavaScript launcher file, Chicago-based cybersecurity and managed security services provider Trustwave reports.
The file is part of a process designed to decode and launch the malicious payload, which is a .NET DLL file designed to evade the Microsoft Antimalware Scan Interface and prepare a system for having most of its files forcibly encrypted.
Trustwave says that the malware can also adjust registry settings to escalate privileges, identify other systems via Active Directory and mount external drives.
Like many other types of ransomware, however, Trustwave says BlackByte first checks a system's default language to see if the device appears to be located in Armenia, Azerbaijan, Belarus, Georgia, Kazakhstan, Russia, Tajikistan, Turkmen, Ukraine or Uzbekistan. If so, the malware quits.
Some security experts say most ransomware operators appear to be Russian speakers and will avoid attacking targets in Russia or any other countries that were part of the Soviet Union to avoid reprisals from local law enforcement agencies.
The advisory also states that some versions of BlackByte ransomware download a supposed PNG image file from an external server, and the image contains the information needed by the ransomware to generate a key and encrypt files.
"If the ransomware fails to download the key, it will crash and will save the infected system from getting its files encrypted," Trustwave says. Otherwise, the ransomware begins enumerating drives for encryption using an AES symmetric-key algorithm" derived from the PNG image file, Trustwave says.
The required PNG file is no longer online, which support’s Trustwave’s analysis that BlackByte's developers have likely already spotted the weak encryption and are preparing a fresh version of their ransomware.
According to the joint advisory from the FBI and Secret Service, the BlackByte executable leaves a ransom note in all directories where encryption occurs. The ransom note includes the .onion site that contains instructions for paying the ransom and receiving a decryption key. Some past victims have reported that the actors used a known Microsoft Exchange Server vulnerability as a means of gaining access to their victim’s networks, the advisory says.