Blackbaud Ransomware Attack Reiterates the Need for Strong Cybersecurity Controls

Software publisher Blackbaud recently reported that the firm was a target of a ransomware attack. The attack, which occurred in May, affected numerous universities, alumni organizations, and other organizations that use the company’s administration, fundraising, and financial management software. Although the hack occurred in May, Blackbaud did not report the incident until July. In this article, you will learn more about the attack and what you can do to avoid becoming yet another victim of ransomware.

Statement from Blackbaud

The company posted the following statement on its website.

“In May of 2020, we discovered and stopped a ransomware attack. In a ransomware attack, cybercriminals attempt to disrupt the business by locking companies out of their own data and servers. After discovering the attack, our Cyber Security team—together with independent forensics experts and law enforcement—successfully prevented the cybercriminal from blocking our system access and fully encrypting files; and ultimately expelled them from our system. 

Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted environment. The cybercriminal did not access credit card information, bank account information, or social security numbers. Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed. Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly. 

This incident did not involve solutions in our public cloud environment (Microsoft Azure, Amazon Web Services), nor did it involve the majority of our self-hosted environment. The subset of customers who were part of this incident have been notified and supplied with additional information and resources. We apologize that this happened and will continue to do our very best to supply help and support as we and our customers jointly navigate this cybercrime incident.”

Blackbaud Paid the Ransom

Of note, Blackbaud disclosed in their statement that the company paid the ransom, although the amount is not available. The company’s payment stands in contrast to recommendations from most governments and cybersecurity organizations.

According to a published report at www.thenonprofittimes.com, Blackbaud paid the ransom using Bitcoin. However, the company did not make the payment until it was able to confirm that the hackers destroyed all data compromised in the attack. Further, the company indicated that the hackers did not compromise data such as credit card numbers, bank account information, and Social Security numbers.

Ransomware Remains a Significant Threat

According to Statista.com, ransomware remains a significant threat. In 2019 alone, 188 million attacks occurred worldwide. Further, SafeAtLast.co reports that the ransomware accounts for 56% of all malware attacks. Additionally, the average cost of a successful attack against a business in $133,000.

Identifying a Ransomware Risk

To minimize the risk of ransomware attacks, first understand the nine primary ways that it enters an organization, as detailed below.

1. Unsolicited links and attachments in email messages.
2. Malicious links in social media posts.
3. Drive-by websites.
4. Open and unsecured RDP/RDS ports in Windows.
5. “Collateral damage” resulting from attacks on managed service providers.
6. Attacks that spread through an organization, known as “lateral attacks.”
7. Free and pirated software infected with ransomware.
8. Ransomware installed on USB drives.
9. Websites that serve “malvertising” dialog boxes.

Five Ways to Minimize Ransomware Risk

Understanding where the risks lie makes crafting a practical approach to combating ransomware a reasonable possibility. For most organizations, that approach should include at least the following five points.

1. Train team members about the dangers of clicking on links and attachments in email messages and social media messages. Current estimates indicate that approximately 30% of email users click on unsolicited links and files, so repeated efforts in this are necessary.
   
2. Educate team members on the risks associated with visiting specific types of sites on the Internet and consider implementing policies that indicate the kinds of websites they should not visit using company-owned assets and internet connections.
3. Enable Windows Controlled Folder Access feature, a tool designed specifically to block ransomware attacks.
4. Carefully choose your choice of anti-malware software and ensure that it updates contemporaneously.
5. Assume your company will become a victim and incorporate recovery strategies into your Business Continuity/Disaster Recovery plans. As part of this strategy, routinely test your backups to ensure that it includes all data and that you can restore this information when the need arises. Additionally, consider creating Restore Points of each team member’s computer to speed the process of recovery in the case of an attack.

Summary

Ransomware remains a genuine threat to businesses of all sizes. It affects large software companies such as Blackbaud to small “mom-and-pop” operations. When ransomware strikes a business, the costs are high. Further, the damage to the victim organization’s reputation lasts for years. Yet, if we understand how ransomware creeps into companies, we can create an effective strategy for reducing our risk of becoming yet another victim.

Tommy Stephens