On February 13, 2022, a novel, lesser-known ransomware collective posted the alleged financial documents of the San Francisco 49ers football team on their underground site. The threat group, known as BlackByte, was widely credited with the orchestration of the attack—However, AdvIntel’s sensitive primary-source intelligence and factual data evidence (including IOCs) point to a different conclusion: that BlackByte was instead being used as a shell group to process the breach.
AdvIntel instead attributes the 49ers’ February security compromise to the now-dying Conti ransomware group. This story hints at the answers to two now pressing questions:
- How can established ransomware collectives utilize subsidiary groups for operations involving data exfiltration without also utilizing extortion tactics?
- What will happen to ransomware groups after Conti’s final shutdown?