"We discovered and stopped a sophisticated attempted ransomware attack," Blackbaud CEO Michael Gianoni has told financial analysts – failing to mention the company simply paid off criminal extortionists to end the attack.
Speaking on the US cloud CRM provider's Q2 FY2020 earnings call late on Friday, Gianoni said: "Like a lot of companies, we get millions of intrusion attempts a month and unfortunately one got into a subset of our customers and a subset of our backup environment."
As we reported, Blackbaud paid a demanded ransom back in May before quietly notifying the world two months later. Blackbaud accepted the criminals' assurances that stolen data would be deleted.
Nonetheless, companies and charities that use Blackbaud's CRM systems for fundraising and communications are duty-bound to report the data theft to regulators, at least on this side of the Atlantic. Although the firm insisted that financial data had not been accessed by the criminals, personal data stored on its servers by subscribing companies was.
On the Friday earnings call Blackbaud CFO Tony Boor added: "We currently don't anticipate any kind of material financial impact for the company [from the ransomware]. We do have insurance coverage that will come into play here as well."
These remarks may well dismay the global cybersecurity industry and governments alike. Standard advice is not to pay ransoms because doing so fuels the criminal economy behind ransomware, perpetuating this form of internet criminality. However, industry has increasingly ignored this advice; the availability of cyber insurance policies that pay out on ransom demands removes the largest disincentive from the equation.
Blackbaud at least has one partial excuse: late last year the US Federal Bureau of Investigation relaxed its guidance on paying ransoms to acknowledge that some firms can and will pay up.
Ransomware, as Reg readers know, is software that forcibly encrypts files on a target computer or network. The criminal operators behind this strain of malware demand hefty payments, in some cases running to millions, in order to provide a decryption utility. Without a decryptor, the targeted business usually cannot recover its files to continue normal trading.
Recent research from ransomware-focused infosec biz Emsisoft concluded that the average US ransom demand was in the region of $84,000.
Victims of the Blackbaud-enabled ransomware attack included a whole host of universities, charities (including the National Trust), and, according to media reports last week, the UK's Labour Party. ®