Ransomware, Content

49ers Ransomware Attack Details and Recovery Timeline

<> on February 4, 2015 in San Francisco, California.

The San Francisco 49ers suffered a BlackByte ransomware attack, the NFL football franchise confirmed. Here is a timeline of the attack and recovery efforts.

Saturday, February 12: The 49ers allegedly suffer ransomware attack.

Sunday, February 13: Multiple updates...

  • 49ers confirm ransomware attack to The Record.
  • MSSP Alert reports that backup and cybersecurity firm Acronis as well as Visual Edge IT (MSP) have relationships with the 49ers, though we don't know if those two companies are specifically involved in the attack and recovery efforts. We've reached out to both companies for comment.
  • The ransomware gang BlackByte allegedly posted some stolen team documents on a dark web site in a file marked “2020 Invoices," the Associated Press reported.

Monday, February 14: In a reply to MSSP Alert's request for comment, an Acronis spokesperson said the software company's "team is working hard" and will get back to MSSP Alert as soon as possible, though Acronis did not specifically mention the 49ers attack by name.

See deeper details about the attack below.

49ers Ransomware Attack Details: What Was Hit?

The BlackByte ransomware attack apparently was limited to the 49ers' corporate IT network and did not hit systems within Levi’s Stadium (the team's home field) or systems involving ticket holders, the initial report indicated.

BlackByte is ransomware as a service (RaaS). Ironically, the FBI and secret service issued a BlackByte warning on February 11, 2022. According to that alert:

"As of November 2021, BlackByte ransomware had compromised multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors (government facilities, financial, and food & agriculture). BlackByte is a Ransomware as a Service (RaaS) group that encrypts files on compromised Windows host systems, including physical and virtual servers."

49ers Ransomware Attack: MSSPs Assist Recovery?

The 49ers did not disclose whether the team or NFL had hired an MSSP or incident response company to assist with the ransomware attack investigation or recovery.

The 49ers are known to partner with cybersecurity and backup software provider Acronis as well as Visual Edge IT, an MSP -- according to an October 2021 announcement from the three organizations. We've reached out to Acronis and Visual Edge IT to see if they are involved in the attack defenses and/or recovery efforts.

Among those sharing perspectives on the attack: Emsisoft Threat Analyst Brett Callow, who shares details via his Twitter feed here.

Related: Here's how MSSPs can mitigate the BlackByte ransomware attack threat, according to the FBI and Secret Service warning.

Correction: We initially reported that the attack occurred on February 13 (Super Bowl Sunday). In reality, the attack occurred on Feb. 12 and then was confirmed by the 49ers on Feb. 13. We've updated our coverage accordingly.

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.