Statement from Blackbaud
“In May of 2020, we discovered and stopped a ransomware attack. In a ransomware attack, cybercriminals attempt to disrupt the business by locking companies out of their own data and servers. After discovering the attack, our Cyber Security team—together with independent forensics experts and law enforcement—successfully prevented the cybercriminal from blocking our system access and fully encrypting files; and ultimately expelled them from our system.
Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted environment. The cybercriminal did not access credit card information, bank account information, or social security numbers. Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed. Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly.
This incident did not involve solutions in our public cloud environment (Microsoft Azure, Amazon Web Services), nor did it involve the majority of our self-hosted environment. The subset of customers who were part of this incident have been notified and supplied with additional information and resources. We apologize that this happened and will continue to do our very best to supply help and support as we and our customers jointly navigate this cybercrime incident.”
Blackbaud Paid the Ransom
According to a published report at www.thenonprofittimes.com, Blackbaud paid the ransom using Bitcoin. However, the company did not make the payment until it was able to confirm that the hackers destroyed all data compromised in the attack. Further, the company indicated that the hackers did not compromise data such as credit card numbers, bank account information, and Social Security numbers.
Ransomware Remains a Significant Threat
Identifying a Ransomware Risk
- Unsolicited links and attachments in email messages.
- Malicious links in social media posts.
- Drive-by websites.
- Open and unsecured RDP/RDS ports in Windows.
- “Collateral damage” resulting from attacks on managed service providers.
- Attacks that spread through an organization, known as “lateral attacks.”
- Free and pirated software infected with ransomware.
- Ransomware installed on USB drives.
- Websites that serve “malvertising” dialog boxes.
Five Ways to Minimize Ransomware Risk
- Train team members about the dangers of clicking on links and attachments in email messages and social media messages. Current estimates indicate that approximately 30% of email users click on unsolicited links and files, so repeated efforts in this are necessary.
- Educate team members on the risks associated with visiting specific types of sites on the Internet and consider implementing policies that indicate the kinds of websites they should not visit using company-owned assets and internet connections.
- Enable Windows Controlled Folder Access feature, a tool designed specifically to block ransomware attacks.
- Carefully choose your choice of anti-malware software and ensure that it updates contemporaneously.
- Assume your company will become a victim and incorporate recovery strategies into your Business Continuity/Disaster Recovery plans. As part of this strategy, routinely test your backups to ensure that it includes all data and that you can restore this information when the need arises. Additionally, consider creating Restore Points of each team member’s computer to speed the process of recovery in the case of an attack.