San Francisco 49ers suffer ransomware attack ahead of Super Bowl

The San Francisco 49ers are the victims of a cyberattack, and the BlackByte ransomware gang is claiming responsibility.

The timing of the attack against an NFL franchise in California ahead of the Super Bowl’s kickoff in Los Angeles is not likely a coincidence, according to Brett Callow, a threat analyst for anti-virus software firm Emsisoft.

Mr. Callow spotted BlackByte claiming responsibility for the attack and said the gang’s timing of Super Bowl weekend may have garnered more publicity and credibility for the ransomware gang to grow its business in cybercrime.

“Ransomware is not typically targeted, and it’s quite likely that the attackers did a happy dance when they realized the network they’d landed on belonged to the 49ers,” Mr. Callow said in an email. “That said, it’s possible that they may have compromised the network weeks previously and waited until now to execute the attack, believing that the 49ers may have been under additional pressure to pay in days immediately prior to [the] Super Bowl.”

The 49ers have confirmed the cyberattack and said it affected its corporate information technology network. The franchise said it engaged cybersecurity firms to help investigate and contacted law enforcement.

“While the investigation is ongoing, we believe the incident is limited to our corporate IT network; to date, we have no indication that this incident involves systems outside of our corporate network, such as those connected to Levi’s Stadium operations or ticket holders,” the 49ers said in a statement. “As the investigation continues, we are working diligently to restore involved systems as quickly and as safely as possible.”

The attack became public soon after the FBI issued a warning about the BlackByte gang on Friday.

The FBI shared its alert via Twitter on Saturday and labeled BlackByte ransomware a threat to “multiple U.S. and foreign businesses” and directed people to review its advisory, which said the gang had previously attacked government facilities, the financial sector, and the food and agriculture sector.

The attackers’ identity is not fully known. Mr. Callow said BlackByte does not encrypt computers using “Russian or ex-Soviet languages,” but noted that its affiliates can come from anywhere around the world.