Ransomware Attack Scores Touchdown Against 49ers
This year, the 49ers nearly made it to the Super Bowl. If not for the dramatic 4th quarter comeback of the Rams, the recent ransomware attack on the 49ers might have been even more devastating. As it stands, the San Francisco 49ers were shocked to discover on the day of the Super Bowl that a known hacker studio had posted their team among its victims.
Upon investigation, the team found that their corporate servers had, indeed, been infiltrated and impacted by ransomware. How did this happen? How can a corporate team with millions to spend on infrastructure allow themselves to be hacked? This incident teaches us two important lessons. The first is that hackers and malware can target anyone - and big teams right before the Superbowl make one heck of a target. The second is that you can never be too safe about cybersecurity. While prevention may be nearly impossible in a digital environment swarming with malicious programs, early detection and rapid response can eliminate the more serious risks of a ransomware attack.
When it comes to legendary football teams, even the greats can be infiltrated by a hack using an exchange server vulnerability.
How Ransomware Hit the San Francisco 49ers
So what exactly happened? How did ransomware wind up on the 49ers corporate network, and what exactly did the ransomware do?
As of now, we know that the 49ers were attacked by a ransomware group known as BlackByte with an MO so recognizable that the FBI released a warning about their patterns just a day before the 49ers realized that their computers had been compromised. If they stuck to their guns, then we know what most likely happened to the 49er's servers.
BlackByte ransomware typically slips in through lateral infiltration. It starts by using a known vulnerability in Microsoft Exchange Server. Once inside the network, the ransomware moves laterally across the network escalating privileges - giving itself more permissions. Once it has full access, it begins accessing, encrypting, and stealing files.
In each folder of encrypted files, a single text file is left. This is the BlackByte calling card containing the ransom and a link to instructions on how to pay the ransom.
How Do You Ransomware a Football Team?
You may be wondering how a football team might be subject to ransomware. Unlike a hospital or even a meatpacking plant, their computers don't seem central to the team's function. However, you must remember that a football team is a corporation. It has internal processes and private partners just like any other business. Ransomware does two things to a football team. The first is that it can interrupt the internal business and logistics of running the team. The second is that the ransom could include exposing or destroying critical data.
When BlackByte posted their wall-of-shame victims' announcement on the day of the Superbowl, they were leveling their ransom. It was a threat to bring down the team with digital interference or publication of private documents.
A New Breed of Professional Hackers
While the NFL is an impressive example, big companies do get hacked all the time. The truly impressive detail of this story is how organized the hacking team is. There is a new trend in the dark and deep web for hacking teams to go professional. BlackByte is known as a RaaS or Ransomware as a Service provider. In addition to their own hacks, they also make software and resources available to other hackers to attack their targets of choice.
This is a professional shop, a ransomware studio. They released a flawed product that could be decrypted and two weeks later, they had released a patch that repaired that weakness. BlackByte is also not the largest professional-style hacker team by a long shot, with some of the biggest teams known to be sanctioned by foreign governments.
In this new landscape of constant cybersecurity threats and ever more sophisticated enemies of security, it's time for big NFL teams and businesses of all sizes to think seriously about their approach to cybersecurity defense.
How to Protect Professional Organizations from Ransomware Attacks
1. Implement the NIST Cyber Security Framework
The best thing you can do for your team's cybersecurity is to adopt security standards. A set of standards can give you the framework and baseline you need to build a powerful and airtight cybersecurity structure. NIST or National Institute of Standards and Technology has released the Cyber Security Framework as a great baseline for your security measures. This will help you build great measures implement them in a day-to-day way.
NIST includes a 5-step cycle:
- Identify
- Protect
- Detect
- Respond
- Recover
The wheel helps us to understand that cybersecurity never stops. There is never a point where we are "secure enough" or where you can "set and forget" a server or network. Instead, each new day brings new risks, updates, patches, infiltrations, and defenses. If a risk is detected and handled, the entire process starts back at "Identify" to find the initial vulnerability and secure from there.
2. Build a Complete Backup Recovery System
Backup recovery is the single most powerful tool to combat the risks of malware and ransomware. At its core, what does ransomware do? It takes your important files and encrypts them so you can't use the files in your business. But what if you could unplug the computer, wipe everything, and reinstall from scratch without a scrap of data loss?
With the right backups, recovering from malware could be a matter of hours instead of days or months of system rebuilding - or paying the ransom.
Great backups include everything, are taken frequently, and are tested to make sure the recovery system works. You'll want
- Structural and Network Backups
- Database and Archive Backups
- Active and Recent File Backups
- Live Project Version Control Backups
Structural backups and network backups provide a quick reinstall baseline. Like loading a pre-configured operating system onto a virtual machine. The more settings and structure you can back up, the faster you can restart after wiping some malware off the map.
Database and archive backups are self-explanatory. These are often the most-targeted, most-stolen, and biggest losses if your internal files are corrupted. Backing up your recent data changes and live projects helps to minimize any hours lost between the most recent backup and the recovery procedure.
3. Adopt a "Zero Trust" Digital Policy
Data infiltrations happen. It's impossible to stop all unauthorized file movement and device access - and you can easily drive yourself and your workforce insane trying. Data silos don't work anymore because companies must be connected to the internet to function. Because of this, the IT industry has shifted away from a firewall-focused strategy to zero-trust instead.
Zero-trust isn't about trust, it's about vigilance. It means watching every endpoint and every account for suspicious activity. It's about pinging an admin each time a secure file is accessed or permissions are changed. Zero trust is the approach that focuses on technical detection instead of leaving any risk to assumption or chance.
4. Put Together a Cybersecurity Playbook
Next, your team needs to know how to respond when a cybersecurity threat does rise. They need to know what play to make and how to work together to minimize widespread damage. Write the playbook on dealing with malware and hacker infiltrations when they happen. Know when to wipe a system and restore from backup. Make sure team leaders know how to run virus scans and antivirus programs.
- Detect phishing and whaling
- Avoid infected links
- Alert on suspicious activity
- Isolate the damage
- Report a suspected breach
- Identify an infiltration
- Wipe and restore systems
Have your backups and recovery process ready to go. Get your team used to the idea of taking swift action if they see signs that their current work computer or device is hacked. Provide the tools and the strategies necessary to combat or report a cybersecurity threat. Give your team the play-by-play on how to defend the entire team from a ransomware attack.
5. Build a Network of Trusted Partners
Your security is only as strong as the security of your digital partners. Every organization relies on cloud and software partners to handle the entire corporate structure. However, your data storage, financial management, and third-party platforms must also maintain the same level of cybersecurity that you achieve for the network to share a secure defensive rating.
This means you want to build a network of allies - trusted partners who have also stepped up their cybersecurity standards. Together, you can form a bastion of good digital security practices.
6. Run Cybersecurity Response Drills
One of the best ways to keep your team cybersecurity-trained and on their toes is by running cybersecurity response drills. We don't mean running back and forth across the field, but instead keeping an eye out for phishing emails and suspicious links. These attacks aren't hackers, though, they're manufactured by the IT security team.
Provide rewards and prizes for employees that spot the signs of a cybersecurity breach or attack and respond appropriately. Use these incidents as training to help everyone else spot the next one. The chance for rewards and the fun of spotting a puzzle will keep your entire team alert, vigilant, and eager to be the one to spot and stop the next hacker or rogue ransomware.
Whether you are an NFL football team or a corporate entity of another sort, cybersecurity is no longer an option. From the smallest e-store to the biggest names in the world, no network is safe. So it's time to build our defenses, offensive defense, and unstoppable backup recovery plans to make up the difference. If the 49ers can recover from a public ransomware incident, the rest of us are obligated to step up and give data security our all. Contact us to consult on your data security solutions and strategy.