The San Francisco 49ers were hit by BlackByte ransomware over the weekend.

The team confirmed the cyberattack after the operators of the BlackByte ransomware listed the team as one of their victims on Saturday on a dark web “leak site.” The group typically uses the site to shame victims and force them into paying their extortion demands.

The San Francisco 49ers told The Record that steps were taken to contain the incident. “While the investigation is ongoing, we believe the incident is limited to our corporate IT network; to date, we have no indication that this incident involves systems outside of our corporate network, such as those connected to Levi’s Stadium operations or ticket holders,” the team noted.

The 49ers are working with law enforcement and third-party cybersecurity firms to investigate the attack and restore systems as soon as possible.

If the team had qualified for the Super Bowl LVI, the cyberattack could have disrupted the team’s operations and game-day preparations. The attack, however, should be a warning for organizers, sports teams and fans, says Joseph Carson, Chief Security Scientist and Advisory CISO at Delinea

During major events, cybercriminals will take advantage of unsuspecting victims to access networks and services. “Once access is compromised, it is only a matter of time before ransomware is deployed,” Carson says.

Because BlackByte is a Ransomware as a Service (RaaS) group, it is likely that BlackByte did not hack the 49ers but rather an affiliate who pays back royalties in return for access to the ransomware, Carson explains. 

In November 2021, BlackByte ransomware compromised multiple U.S. and foreign businesses, including entities in at least three U.S. critical infrastructure sectors (government facilities, financial, and food & agriculture), according to a Federal Bureau of Investigation Joint Cybersecurity Advisory released days before the hack. 

While the ransomware operator is not more sophisticated than other actors in the ransomware world, BlackByte is “the next up-and-coming player to exploit organizations and their data,” says Matthew Warner, CTO and Co-Founder at Blumira. The group has experienced success following well-proven tactics implemented by previous groups, like Conti ransomware, using Exchange vulnerabilities such as ProxyShell to gain a foothold in environments and move laterally across the network and escalate privileges before exfiltrating and encrypting files, Warner explains.

Security teams should continue to improve their organization’s security posture through improved visibility across Windows with endpoint detection and response tools. “Most importantly, BlackByte and similar ransomware operators’ successful attacks continue to show the importance of patching and reducing your attack surface facing the internet,” notes Warner.

Carson suggests security teams should be “incident response ready” and have a solid backup and recovery strategy that includes ransomware mitigation along with strong identity and access security controls.