The BlackByte ransomware gang claims to have stolen data from the NFL’s San Francisco 49ers. The attack caused a temporary disruption to the organization’s networks, but the full extent of the attack is still under investigation. It is believed that the 49ers’ devices were likely encrypted, although it has not been confirmed. The breach was announced hours before the kickoff to the Superbowl. The threat actors stated they have stolen 2020 invoices from the 49ers network, although it is unclear how much data has been stolen. BlackByte is known for releasing victim data in increasing amounts to pressure the victim into paying a ransom. A member of the 49ers organization released the following statement on the situation. “The San Francisco 49ers recently became aware of a network security incident that resulted in temporary disruption to certain systems on our corporate IT network. Upon learning of the incident, we immediately initiated an investigation and took steps to contain the incident. Third-party cybersecurity firms were engaged to assist, and law enforcement was notified. While the investigation is ongoing, we believe the incident is limited to our corporate IT network; to date, we have no indication that this incident involves systems outside of our corporate network, such as those connected to Levi’s Stadium operations or ticket holders. As the investigation continues, we are working diligently to restore involved systems as quickly and as safely as possible.”
Organizations that are victims of ransomware attacks should seek professional help from incident response and data recovery service providers and consider reporting the incident to law enforcement. Organizations should also initiate proactive measures to ensure they are protected from ransomware. The US DHS website, stopransomware.gov, has links to resources that help organizations protect their systems from intrusions that lead to ransomware. To protect against ransomware attacks, organizations should:
• Regularly back up data, air gap, and password protect backup copies offline.
• Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
• Implement network segmentation.
• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the cloud).
• Install updates/patch operating systems, software, and firmware as soon as practical after they are released. Implement monitoring of security events on employee workstations and servers, with a 24/7 Security Operations Center to detect threats and respond quickly.
• Use multifactor authentication where possible.
• Use strong passwords and regularly change passwords to network systems and accounts, implementing the shortest acceptable timeframe for password changes.
• Avoid reusing passwords for multiple accounts.
• Focus on cyber security awareness and training.
• Regularly provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.