(October 30, 2020) Several U.S. hospitals from northern New York state to California have become part of a growing number of ransomware attacks against charities and other social systems.
The attackers have demanded a USD $1 million to unlock the system, which some hospitals have paid, reported the Washington Post. Patient care and noncritical surgeries have been affected.
On October 29, Montreal’s transit agency The Société de transport de Montréal (STM) revealed an unrelated ransomware attack on October 19 that targeted 1,000 of its 1,600 servers.
The hackers responsible for that attack have asked for $3.7 million, which STM says is will not pay. It also reported that three-quarters of its affected servers have been restored.
“The attack occurred as a result of a phishing email, according to the STM — an unsuspecting employee likely clicked on a link containing malicious malware, believed to be called RansomExx,” reported CTV Montreal.
The U.S. attack, traced to Russian-speaking law-breakers, is believed to be part of a Russian effort to destabilize the country’s healthcare system in the middle of a pandemic that is becoming out of control, days before a contentious presidential election.
Ransomware is a type of malicious software that infects a computer and restricts users’ access to it until a ransom is paid to unlock it, according to UC Berkeley.
But these attacks are by no means the first ransomware attacks on social structures including ransomware attacks against charities. In late July, scores of Canadian charities received notification of a May 2020 global Blackbaud data breach involving its Raiser’s Edge and NetCommunity products.
The attack affected hundreds of hospitals, universities and other charities in the U.S., Canada and the U.K.
In August, The Charity Report found 24 Canadian charities—from the BC Cancer Foundation to Canada’s National Ballet—affected by the breach.
In a July 2020 statement, the company said, “In May of 2020, we discovered and stopped a ransomware attack …
“The cybercriminal did not access credit card information, bank account information, or social security numbers. Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed.”
Yet, in early October, Blackbaud confirmed in a regulatory filing that the stolen data also included bank account data and social security numbers, more information that the company initially revealed was at risk.
Tech reporters have said Blackbaud has played down the attack because it doesn’t want to impact its share prices.
Coveware, a U.S.-based company that works in the cyber vulnerabilities market and runs a ransomware incident response platform reported that ransomware attacks are increasing.
“During the first quarter of 2020 ransomware threat actors took advantage of the economic and workplace disruption caused by the COVID-19 outbreak.”
It estimates the average ransom paid has increased by 33% to USD $111,605 and says, “Poorly secured Remote Desktop Protocol (RDP) access points continued to be the most common attack vector.”
What can you do to protect yourself against ransomware attacks against charities?
UC Berkeley recommends, among other things, to:
- Employ a data backup and recovery plan for all critical information
- Keep your operating system and software up-to-date with the latest patches
- Maintain up-to-date anti-virus software
- Restrict users’ ability (permissions) to install and run unwanted software applications
- Avoid enabling macros from email attachments
- Do not follow unsolicited Web links in emails
For its part, Blackbaud continues to say it follows “industry-standard best practices, conduct ongoing risk assessments, aggressively test the security of our solutions, and continually assess our infrastructure.”
The tens of thousands of charities who use Blackbaud to keep records on donors will have to take Blackbaud at its word.
In the meantime, Blackbaud is facing a class-action lawsuit in North Carolina and the incident has resulted in consumers experiencing “ascertainable losses in the form of out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the attack.”
When asked for asked for reaction to the suit by the NonProfit Times, a Blackbaud spokesperson said, “Blackbaud disagrees with the allegations and intends to demonstrate they are without merit.”
Related
Blackbaud Data Breach: U.S. Donor Sues, could the same happen in Canada? September 9, 2020
Blackbaud Data Breach: The impact on Canadian charities and what we still don’t know August 24, 2020