Name: Dhir Talreja

Roll no : A115

EXPERIMENT 1
BLACKBAUD RANSOMWARE ATTACK (2020)

Mo va on of A acks

The mo va on behind the ransomware a ack on Blackbaud appears to be financial gain. The
a ackers employed ransomware to encrypt and exfiltrate customer data, and their primary
goal was to extort money from Blackbaud in exchange for not publicly disclosing or misusing
the stolen data. This type of a ack is commonly driven by the desire to receive a ransom
payment from the targeted organiza on.
The a ackers likely believed that by compromising and encryp ng valuable data, they could
force Blackbaud to pay a ransom to regain control of the informa on and prevent its public
release. The fact that Blackbaud decided to pay the ransom, as men oned in the sources,
suggests that the a ackers achieved their financial objec ve.
It's worth no ng that mo va ons for ransomware a acks can vary, but financial gain is a
common factor. The a ackers exploit vulnerabili es in the target's cybersecurity defenses,
encrypt sensi ve data, and demand payment in exchange for the decryp on key or the
promise not to misuse or disclose the stolen informa on.

Impact
The ransomware a ack on Blackbaud in 2020 had several notable impacts on the company
and its stakeholders:
1. Data Breach and Exfiltra on: The a ackers managed to exfiltrate and encrypt
customer data. Blackbaud reported that a copy of a subset of data was taken from its
environment before the cybercriminals were expelled from the system.
2. Ransom Payment: Blackbaud decided to pay the ransom, although the specific amount
was not disclosed. The company men oned that it paid the ransom with the
confirma on that the copy of the data removed by the cybercriminals had been
destroyed.
3. Delayed Data Breach No fica on: Blackbaud faced cri cism for not promptly no fying
regulators, data controllers, and affected customers about the data breach. The delay
in repor ng triggered concerns regarding compliance with the General Data Protec on
Regula on (GDPR) requirements.
 4. Class Ac on Lawsuit: In December 2020, a class ac on lawsuit was filed against
Blackbaud. The lawsuit alleged that Blackbaud failed to implement adequate and
reasonable cybersecurity measures to protect the personal and sensi ve informa on
of its customers. The complaint highlighted various shortcomings in Blackbaud's
security prac ces.

5. Reputa onal Damage: Data breaches and ransomware a acks can lead to significant
reputa onal damage for the affected company. The incident raised concerns among
Blackbaud's customers and stakeholders about the security of their data and the
company's ability to safeguard sensi ve informa on.
6. Increased Scru ny on Cybersecurity Prac ces: The incident drew a en on to the
importance of cybersecurity prac ces, especially for companies handling sensi ve
customer data. The scru ny extended beyond the immediate impacts of the
ransomware a ack, emphasizing the need for organiza ons to priori ze and invest in
robust cybersecurity measures.

Vulnerability that leads to the a ack

Specific details about the exact vulnerability or method used by the a ackers to ini ate the
Blackbaud ransomware a ack in 2020 might not be publicly disclosed or fully detailed in the
available informa on. Companies o en choose not to disclose such specifics to prevent
poten al exploita on of similar vulnerabili es in other organiza ons or systems. However,
ransomware a acks typically exploit various weaknesses in an organiza on's cybersecurity
defenses.

Approach used for a ack

Following is an analysis of the a ack's approach:
1. Ini al Breach and Ransomware A empt:
The a ackers breached Blackbaud's network, aiming to install ransomware.
Their primary goal was likely to encrypt files and lock customers out of their data and
servers.
2. Detec on and Preven on:
Blackbaud's cybersecurity team, along with independent forensics experts and law
enforcement, detected the ransomware a ack in progress.
They successfully prevented the cybercriminals from blocking system access and fully
encryp ng files.
Blackbaud expelled the a ackers from its system, preven ng the ransomware from
comple ng its intended impact.
3. Data The and Threats:
 Despite thwar ng the ransomware a ack, the a ackers managed to steal a subset of
data from Blackbaud's "self-hosted environment."
The stolen data was likely sensi ve customer informa on stored in the environment
where customers saved their files.
4. Ransom Demand and Payment:
The ransomware gang, a er being expelled from the network, threatened to release
the stolen data unless Blackbaud paid a ransom demand.
To protect customer data, Blackbaud decided to pay the cybercriminals' demand.
The payment was made with the confirma on that the copied data had been
destroyed.
5. Assurance and Inves ga on:
Blackbaud conducted its research and engaged third-party, including law enforcement,
inves ga ons.
The company stated that it had no reason to believe that the stolen data would be
misused, disseminated, or made available publicly.
6. No fica on and Impact Assessment:
Blackbaud no fied its customers about the incident, emphasizing that only a small
subset of its customers was affected.
The impact was limited to the compromised data, and the company assured customers
that appropriate measures had been taken to address the situa on.

Security aspect compromised

In the Blackbaud ransomware a ack, the primary CIA (Confiden ality, Integrity, and
Availability) component that was compromised was Confiden ality.