{
	"id": "c95d4517-4a3d-47d7-a7bb-2eb4fac9a48c",
	"created_at": "2026-04-06T00:15:01.062864Z",
	"updated_at": "2026-04-10T03:32:24.829599Z",
	"deleted_at": null,
	"sha1_hash": "bc816a601562fd33abb3b5ffc6c1a2a9d962cadf",
	"title": "San Francisco 49ers confirm ransomware attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 179558,
	"plain_text": "San Francisco 49ers confirm ransomware attack\r\nBy Catalin Cimpanu\r\nPublished: 2023-01-17 · Archived: 2026-04-05 20:11:01 UTC\r\nThe San Francisco 49ers NFL team has fallen victim to a ransomware attack that encrypted files on its corporate\r\nIT network, a spokesperson for the team has told The Record.\r\nThe team confirmed the attack earlier today after the operators of the BlackByte ransomware listed the team as\r\none of their victims on Saturday on a dark web \"leak site\" the group typically uses to shame victims and force\r\nthem into paying their extortion demands.\r\nImage: Screenshot of the BlackByte 49ers extortion page (via @CyberKnow20)\r\n\"Upon learning of the incident, we immediately initiated an investigation and took steps to contain the incident,\"\r\nthe team told us earlier today.\r\n\"While the investigation is ongoing, we believe the incident is limited to our corporate IT network; to date, we\r\nhave no indication that this incident involves systems outside of our corporate network, such as those connected to\r\nLevi's Stadium operations or ticket holders,\" it added.\r\nThe team said it notified law enforcement and is working with third-party cybersecurity firms to investigate the\r\nattack.\r\n\"[W]e are working diligently to restore involved systems as quickly and as safely as possible,\" the team said.\r\nAttack could have been catastrophic in \"what if?\" scenario\r\nThe attack could have been catastrophic if the team had qualified for Super Bowl LVI, which will take place later\r\ntoday.\r\nhttps://therecord.media/san-francisco-49ers-confirm-ransomware-attack/\r\nPage 1 of 3\n\nThe 49ers dramatically lost 17 to 20 after the Los Angeles Rams mounted a 4th quarter comeback in the NFC\r\nChampionship game two weeks ago.\r\nIf they had made it to the Super Bowl, this ransomware attack could have seriously disrupted the team's game\r\npreparations, bringing ransomware to the forefront of the US media cycle once again after several high-profile\r\nincidents last year, including one that took place over the 4th of July weekend.\r\nNonetheless, it is unclear how the current attack will impact the team's plan for the next NFL season/year, which\r\nwill start later this month with the free agency signing period, NFL Combine event, and subsequent NFL Draft.\r\nFBI warns about BlackByte attacks\r\nAs for the attackers, the BlackByte ransomware gang is one of the smaller ransomware operations active today,\r\noperating on a RaaS (Ransomware-as-a-Service) model where they rent out their ransomware to \"affiliates\" who\r\nthen carry out intrusions into organizations and deploy it to encrypt files.\r\nThese \"affiliates\" also steal files from the hacked networks, which the BlackByte gang uses as leverage in\r\nnegotiations, threatening victims that they will release the stolen files on a dark web \"leak site\" if they don't pay\r\ntheir extortion demands.\r\nLeak site for new BlackByte ransomware pic.twitter.com/JGJRBJkpPC\r\n— Catalin Cimpanu (@campuscodi) September 28, 2021\r\nThe first BlackByte attacks were seen in September 2021, and this first version of the ransomware was not very\r\nwell coded, allowing cybersecurity firm Trustwave to find a weakness and use it to create a free decrypter.\r\nIn the following weeks, the BlackByte group released a second version, without the encryption bug, which they\r\nhave been using in attacks since then.\r\nAccording to an FBI security alert, since November 2021, the agency said the \"BlackByte ransomware had\r\ncompromised multiple US and foreign businesses, including entities in at least three US critical infrastructure\r\nsectors (government facilities, financial, and food \u0026 agriculture).\"\r\nThe FBI released its security alert [PDF] on Friday, a day before the attack on the 49ers organization became\r\npublic, which has led some security experts to believe the document might contain tactics and indicators of\r\ncompromise from the current 49ers attack.\r\nNo previous article\r\nhttps://therecord.media/san-francisco-49ers-confirm-ransomware-attack/\r\nPage 2 of 3\n\nNo new articles\r\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/san-francisco-49ers-confirm-ransomware-attack/\r\nhttps://therecord.media/san-francisco-49ers-confirm-ransomware-attack/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://therecord.media/san-francisco-49ers-confirm-ransomware-attack/"
	],
	"report_names": [
		"san-francisco-49ers-confirm-ransomware-attack"
	],
	"threat_actors": [
		{
			"id": "4e453d66-9ecd-47d9-b63a-32fa5450f071",
			"created_at": "2024-06-19T02:03:08.077075Z",
			"updated_at": "2026-04-10T02:00:03.830523Z",
			"deleted_at": null,
			"main_name": "GOLD LOTUS",
			"aliases": [
				"BlackByte",
				"Hecamede "
			],
			"source_name": "Secureworks:GOLD LOTUS",
			"tools": [
				"BlackByte",
				"Cobalt Strike",
				"ExByte",
				"Mega",
				"RDP",
				"SoftPerfect Network Scanner"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "4e7fd07d-fcc5-459b-b678-45a7d9cda751",
			"created_at": "2025-04-23T02:00:55.174827Z",
			"updated_at": "2026-04-10T02:00:05.353712Z",
			"deleted_at": null,
			"main_name": "BlackByte",
			"aliases": [
				"BlackByte",
				"Hecamede"
			],
			"source_name": "MITRE:BlackByte",
			"tools": [
				"AdFind",
				"BlackByte Ransomware",
				"Exbyte",
				"Arp",
				"BlackByte 2.0 Ransomware",
				"PsExec",
				"Cobalt Strike",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434501,
	"ts_updated_at": 1775791944,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bc816a601562fd33abb3b5ffc6c1a2a9d962cadf.pdf",
		"text": "https://archive.orkl.eu/bc816a601562fd33abb3b5ffc6c1a2a9d962cadf.txt",
		"img": "https://archive.orkl.eu/bc816a601562fd33abb3b5ffc6c1a2a9d962cadf.jpg"
	}
}