Computing Applications

BlackByte Ransomware Bites Critical Infrastructure, the San Francisco 49ers

Artist's representation of ransomware.
BlackByte ransomware uses pen-testing tools such as Cobalt Strike to facilitate lateral movement and manage the host systems that the attack compromises.

According to Yahoo News, the BlackByte Ransomware-as-a-Service group breached the San Francisco 49ers on February 13, 2022, the day of the Super Bowl and just two days after the U.S. Federal Bureau of Investigation (FBI) and Secret Service announced the group had compromised U.S. critical infrastructure.

As of November 21, 2021, BlackByte Ransomware had compromised at least three U.S. critical infrastructure sectors, including government facilities, financial, and food and agriculture, a joint cybersecurity advisory from the FBI and the Secret Services says. The ransomware breached the networks of multiple U.S. and foreign businesses besides, according to the advisory, which was released February 11.

Forty-eight hours later, on the day of Super Bowl LVI, the BlackByte Ransomware-as-a-Service group hacked into the servers of the San Francisco 49ers football team, according to multiple news reports, and encrypted and held its data for ransom. The 49ers were not playing in this year's Super Bowl.

Dissecting BlackByte ransomware attacks.

BlackByte Ransomware-as-a-Service attacks and compromises Microsoft Windows physical and virtual server hosts listed in Microsoft Active Directory and encrypts files on the hosts.

Each Ransomware attack starts with a network entry point, a place to gain unauthorized network access, such as a vulnerable piece of software accessible via the Internet. It elevates account privileges and moves laterally inside east-west network traffic to get to sensitive data.

According to Matt Hull, global lead for Strategic Threat Intelligence of the NCC Group, a global cybersecurity services firm, BlackByte Ransomware attacks enter networks initially through vulnerabilities in SonicWall VPNProxyShellremote access systems, and via phishing attacks, as well as through Microsoft Exchange server vulnerabilities. According to Hull, the attacks take over networks using standard tools such as the Cobalt Strike pen test tool and the AnyDesk remote desktop access tool.

BlackByte starts a command interpreter on a Microsoft Exchange server on the target network, says Timothy J. Shimeall of the Computer Emergency Response Team (CERT) of Carnegie Mellon University. Each command starts a subsidiary interpreter, runs a malicious command (a set of malicious instructions), and then terminates. "The subsidiary interpreters run to make the malicious code more robust and harder to trace," explains Shimeall.

BlackByte elevates privileges by assuming the system privileges of the processes it compromises. According to Shimeall, BlackByte acquires system privileges by running its command interpreter and malicious commands on the Microsoft Exchange server, which corrupts the Exchange process so BlackByte can usurp authority over the system privileges of the process.   

Once a BlackByte ransomware attack gains entry to the network, it begins to move laterally inside the network. According to John Fokker, head of cyber investigations at cybersecurity firm Trellix, BlackByte ransomware uses pen-testing tools such as Cobalt Strike to facilitate lateral movement and manage the host systems (computers) that the attack compromises.

BlackByte uses Microsoft Active Directory to create a list of hosts to attack. "The BlackByte malware runs a series of Active Directory queries to enumerate (list) the machines on the local network, archiving the results in a local file. It then attempts to start command shells on those machines, either through exploiting common accounts or through vulnerabilities in system services," says Shimeall.

According to a Trustwave analysis, the BlackByte worm capability spreads the ransomware functions as follows: BlackByte copies itself to the remote host share path for each machine, replicating itself on each one. Once the obamka.js BlackByte ransomware file arrives on the host, the attack schedules a task to run the ransomware on the host to encrypt the host's files.

BlackByte encrypts the data on the host, using SMB and AES encryption, leaving a ransom note in every directory where it has encoded the data, according to Hull. "The contents of the ransom notes include the .onion site with the relevant instructions for paying the ransom and accessing the decryption key," says Hull.

49ers, Critical Infrastructure attacks

"The BlackByte Ransomware attack on the 49ers was likely highly targeted," says Hull. The attackers chose the 49ers and specified the timing to exacerbate the sense of urgency for the football organization, incentivizing the ransom payment, he explains.  

According to Yahoo News, the 49ers confirmed the breach, stating they believed the compromise was limited to the corporate network. The 49ers did not confirm whether they paid the ransom.

Attacks on critical infrastructure have farther-reaching effects than attacks on sports teams do. According to Hull, by encrypting critical infrastructure systems, the BlackByte ransomware attacks certainly caused operational disruption and financial loss to the targeted organizations. "Depending on the nature of the critical national infrastructure (CNI) targeted, ransomware can affect the rest of the region economically and logistically, as was the case with the Colonial Pipeline attack, where gas prices dramatically increased," says Hull.

The FBI and Secret Service advisory did not disclose the specific critical infrastructure entities that BlackByte ransomware has infected.


David Geer is a journalist who focuses on issues related to cybersecurity. He writes from Cleveland, OH, USA.

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More