Cloud Services Firm Stops Ransomware Attack, But Pays Anyway

Blackbaud, a major supplier of financial and fundraising technology to the non-profit sector, said it stopped a ransomware attack from encrypting files, but paid the attackers to delete stolen customer data.

“Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed,” Blackbaud said in a customer advisory.

The company said it discovered and stopped the ransomware attack in May of this year, but discovered the attackers had removed “a subset” of customers’ data.

The data affected was from Blackbaud’s self-hosted environment, and didn’t affect data it hosts on Amazon Web Services or Azure cloud services, the company said.

‘Sophisticated’ attack

“The subset of customers who were part of this incident have been notified and supplied with additional information and resources,” Blackbaud said.

“We apologise that this happened and will continue to do our very best to supply help and support as we and our customers jointly navigate this cybercrime incident.”

Blackbaud said its strong cybersecurity practice and advance planning had enabled it to shut down the “sophisticated” attack, adding that it has implemented changes to prevent the issue from happening again.

The company said it believed the attackers’ confirmation they had destroyed the data in part because the ransomware business model depends upon criminals not disclosing data once a ransom is paid.

Data release

In addition, Blackbaud said it worked with outside experts to monitor the internet and found no evidence that information was ever released.

Ransomware attacks initially focused on encrypting organisations’ files and then extorting ransoms to decrypt the files, but in recent months have expanded into other areas, such as stealing data and threatening to release it.

Beginning earlier this year, for instance, the DoppelPaymer ransomware gang has begun publicly releasing files stolen from contractors for the US Navy, Lockheed-Martin and SpaceX.

Some of the malware developers’ ransom demands have been in excess of $1 million (£800,000), according to computer security firm CrowdStrike.