FBI says BlackByte ransomware group has breached critical US infrastructure

The group has also infiltrated servers owned by the SF 49ers.

Wachirawit Jenlohakit via Getty Images

The BlackByte ransomware group has compromised entities in at least three US critical infrastructure sectors, according to a joint warning issued (PDF) by the FBI and the US Secret Service on February 11th. Days after that, right before the Super Bowl, the group has also infiltrated servers owned by the San Francisco 49ers. The team's representatives have confirmed the hack after BlackByte posted a file that it supposedly stole from the 49ers on its website, according to Ars Technica. That 379MB file reportedly contained billing statements sent by the team to its partners that include AT&T and Pepsi.

The 49ers' reps said they believe "the incident is limited to [their] corporate IT network" and has no indication that it involved outside systems, such as those "connected to Levi's Stadium operations or ticket holders." They've notified law enforcement and are working with third-party cybersecurity firms to investigate the incident. "We are working diligently to restore involved systems as quickly and as safely as possible," the reps said. As for the critical infrastructures that were affected, the FBI and the Secret Service didn't name them, but they did say they're government facilities and in the financial and food & agriculture sectors.

BlackByte is a ransomware-as-a-service (RaaS) operation that allows affiliates to use its ransomware for a percentage of the proceeds. It first surfaced in July last year, but a flaw in its system allowed security firm Trustwave to release a decryption tool that victims were able to use for free instead of paying the group to have their files unlocked. An updated version of the ransomware patched that flaw.

In their warning, the authorities said some victims reported that the bad actors used a known Microsoft Exchange Server vulnerability to gain access to their networks. The authorities have also released filenames, indicators of compromise and hashes that IT personnel can use to check their networks for presence of the ransomware.