[BreachExchange] Cloud Company Blackbaud Pays Ransomware Operators to Avoid Data Leak

Tue Jul 21 10:22:51 EDT 2020

https://www.securityweek.com/cloud-company-blackbaud-pays-ransomware-operators-avoid-data-leak

Cloud software provider Blackbaud has admitted that it paid
cybercriminals to regain control of data following a ransomware attack
in May 2020.

The company, which is known for its fundraising suites aimed at
educational institutions and charities, offers a diverse portfolio of
management and payment services to help process donations and
fundraises.

Last week, the company published a notice on a ransomware attack that
it fell victim to in May 2020, claiming that it was able to discover
and stop the assault, but not before some data was exfiltrated by the
attackers.

“Our Cyber Security team—together with independent forensics experts
and law enforcement—successfully prevented the cybercriminal from
blocking our system access and fully encrypting files; and ultimately
expelled them from our system. Prior to our locking the cybercriminal
out, the cybercriminal removed a copy of a subset of data from our
self-hosted environment,” the company said.

According to Blackbaud, the attackers did not access credit card data,
bank account information or the social security numbers of its
customers.

Even so, the company decided to pay the cybercriminals for deleting
the data that was exfiltrated during the incident, “with confirmation
that the copy they removed had been destroyed.”

“Based on the nature of the incident, our research, and third party
(including law enforcement) investigation, we have no reason to
believe that any data went beyond the cybercriminal, was or will be
misused; or will be disseminated or otherwise made available
publicly,” the company said.

The company’s public cloud environment, which lies in Microsoft Azure
and Amazon Web Services, and most of the company’s self-hosted
environment weren’t affected in the security incident.

Blackbaud also mentioned that it has notified the customers who were
affected by the attack, but did not provide specific information on
how the attackers were able to compromise its systems in the first
place.