Blackbaud, a provider of software and cloud hosting solutions, said it stopped a ransomware attack from encrypting files earlier this year but still had to pay a ransom demand anyway after hackers stole data from the company’s network and threatened to publish it online.

The incident took place in May 2020, the company revealed in a press release on Thursday.

Blackbaud said hackers breached its network and attempted to install ransomware in order to lock the company’s customers out of their data and servers.

“After discovering the attack, our Cyber Security team-together with independent forensics experts and law enforcement-successfully prevented the cybercriminal from blocking our system access and fully encrypting files; and ultimately expelled them from our system,” the company said.

However, Blackbaud says that before being pushed out of their network, the hackers managed to steal a subset of data from its “self-hosted environment,” where customers save their files.

The ransomware gang, which ZDNet was not able to identify before this article’s publication, then threatened to release the stolen data unless Blackbaud paid a ransom demand — even if their initial file-encrypting attack was stopped.

“Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed,” Blackbaud said.

“Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly,” it added.

The cloud provider, which primarily works with non-profits, foundations, educational, and healthcare, said the incident only impacted the data of only a small subset of its customers, which they have now notified.

Ransomware trend

The Blackbaud incident is an epitome of today’s double-extortion ransomware attacks.

Ransomware gangs now primarily focus their attacks on large corporate networks, where they gain an initial foothold, and steal the victim’s data before encrypting the local files.

Victims are then prompted to pay a ransom demand — either for unlocking the files or for preventing their stolen data from being published online (in case the victim refuses to pay the decryption fee and chooses to restore from backups or rebuild systems from scratch).

Such attacks have been the norm since around late 2019 when a large number of ransomware gangs started operating “leak sites” where they’d publish the data of victims who refused to pay.

Ransomware gangs who did not bother creating “leak sites” simply dumped the stolen data on file-sharing portals and shared the links on forums, social media networks, or with news agencies.

In the vast majority of cases, ransomware groups have usually pursued one of the two ransom fees (for decrypting files or for not publishing the data), but one gang, in particular, is known for chasing both at the same time — namely the Ako ransomware gang.