Threat Watch

Blackbaud Victim of Ransomware Attack

Blackbaud, a company that provides financial and fundraising technology to nonprofits, has been the victim of a ransomware attack. The organization did not name the ransomware, nor did they publicize how their systems were compromised. The infection took place in May of this year and was quickly detected by Blackbaud security members. While the security team was able to quarantine the infection before Blackbaud’s systems were encrypted, the attackers were able to exfiltrate a “subset of data” from Blackbaud’s network. Blackbaud did not disclose what data was stolen but did confirm that neither credit card data, bank account information, nor Social Security numbers were compromised with the stolen data. The attackers contacted Blackbaud with a ransom demand to stop the release of the stolen data. After working with both law enforcement and a private security firm to both assist in the ransom payment and to confirm that the attackers deleted the data, Blackbaud also opted to retain an outside security firm to monitor for the release of any of Blackbaud’s data on criminal forums and marketplaces.

ANALYST NOTES

Analyst Note: Ransomware operators rely heavily on their reputation to ensure ransom payments from their victims. Ransomware operators gain little by releasing data after ransom is paid since it would encourage others to not pay ransoms. Early detection of ransomware allowed for decreased damage in this instance since systems were not encrypted. Endpoint detection and response solutions are an important preventative measure to combat a number of threats such as ransomware. Darknet monitoring is an import step for both pre- and post-incident monitoring. Post-incident monitoring allows for the potential to obtain stolen data prior to its sale to other criminals, as well as the identification of stolen data for sale prior to its use by criminals. Pre-incident Darknet monitoring allows for the identification of compromised email accounts which have been posted in data dumps. These compromised email accounts are a great tool for criminals to target members of an organization and establish an initial foothold to carry out a number of attacks–including ransomware attacks. More information on this incident can be found at https://www.thenonprofittimes.com/npt_articles/breaking-blackbaud-hacked-ransom-paid/
The statement on this incident from Blackbaud can be found at https://www.blackbaud.com/securityincident