Blackbaud, a cloud software provider specializing in fundraising suites for charities and educational institutions, quietly paid off a ransomware attacker – and then got around to telling customers about it a full two months later.
The biz admitted the attack in a statement earlier this week. Blackbaud claimed that the May 2020 ransomware infection was caught at an early stage, and that the file encryption process was halted before being fully completing.
"After discovering the attack, our Cyber Security team – together with independent forensics experts and law enforcement – successfully prevented the cybercriminal from blocking our system access and fully encrypting files; and ultimately expelled them from our system," said Blackbaud. For reasons it did not explain, it then paid the criminals to recover its data.
"Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted environment," Blackbaud said.
Citrix denies dark web claim of network compromise and ransomware attackREAD MORE
"The cybercriminal did not access credit card information, bank account information, or social security numbers. Because protecting our customers' data is our top priority, we paid the cybercriminal's demand with confirmation that the copy they removed had been destroyed."
Some ransomware operators, such as those using the Maze malware strain, are canny enough to take their time infiltrating a target's network to identify and disrupt backups. Regular, easily restored offline backups are one of the main mitigations against ransomware attacks, along with security scans and monitoring of network activity. As more and more organizations follow this advice, these malware crooks have turned to exfiltrating files from infected networks to further pressure people into caving to the extortionists' demands: pay up, or your confidential information is leaked or sold online.
In an unsigned email responding to The Register's inquiries, Blackbaud would only refer us to an advisory on its website about the intrusion, though whoever sent the email insisted the timing of its announcement to customers and the public, as miscreants hijacked celebrity and corporate accounts on Twitter, was a coincidence.
Some customers went on to contact The Register to express concern that they were only being informed about the theft of their data two months after the thief had been paid off.
Paying ransoms to cybercrims goes against UK government advice: no ransom; no reward; no sustainable business model, is the thinking. You're also trusting the criminal to stick to their word and not only hand over the decryption keys – if needed – but also delete your stolen data, a one-sided situation higher-profile ransomware gangs have begun exploiting to empty their victims' pockets.
One ransomware gang even went as far as inviting the BBC to listen in on its ransom negotiations with an American university that eventually paid out $1.14m for a decryption tool. As a tactic for ensuring maximum payout, with minimal pushback from a compliant victim, the mere threat that invited news media might be listening to a future ransom negotiation could hardly be a stronger force multiplier for the criminals. ®