Ransomware Attacks on Nonprofits: Rarity or Regularly Hidden?
In March 2023, software company Blackbaud agreed to a $3 million fine from the U.S. Securities and Exchange Commission (SEC). The commission penalized the company not because of embezzlement or money laundering, but because it had not been entirely forthright about the extent of a ransomware attack in 2020.
Blackbaud provides cloud software for nonprofits, foundations, and private sector organizations. The ransomware attack resulted in the attackers acquiring bank and credit card account information, plus the Social Security numbers of nonprofit donors. The company did not disclose the ransom amount paid in Bitcoin in exchange for a promise from the attackers to delete the data of more than 13,000 individuals, according to the SEC.
Malware and cyberattacks against nonprofit organizations and their data have been increasing in recent years.
In 2020, Philabundance—a hunger relief organization based in Philadelphia, Pennsylvania—was scammed out of more than $923,000 when cyberattackers were able to withhold legitimate emails from a construction company about a new community kitchen project facility. Instead, the attackers emailed a fake invoice, which Philabundance paid.
In January 2022, the International Committee of the Red Cross (ICRC) identified an attack on servers that housed personal data for more than 515,000 people—with much of that data involving cases where a family member was displaced or separated and whose family is trying to reconnect with him or her. In this attack, the hackers exploited an unpatched critical vulnerability, according to the ICRC, and accessed information that included names, locations, and contact information.
But, as a subset of malware incidents, ransomware attacks on nonprofits—which operate in various industries, including hunger relief, healthcare, education, religion, politics, and more—do not appear in news headlines as regularly as attacks against public services or critical infrastructure organizations.
Part of the reason is because cyberattackers leveraging ransomware or providing ransomware as a service (RaaS) might not intentionally target a nonprofit, according to Megan Stifel, chief strategy officer for the Institute for Security and Technology (IST).
Attackers motivated by payouts might gain access to a network via malware, perhaps unaware that the network belongs to a nonprofit, and then sell that access to a different actor. The second actor can then use that purchased access to locate high-value files, such as employee records, intellectual property, or financial data.
When an attacker is analyzing a network and its potential worth, “one factor is how weak is the system that the actor is targeting,” Stifel says. “But because they want to get paid, a weak system doesn’t mean that it’s necessarily a high target anymore.” Instead, attackers often won’t know the target’s identity or value until they access the victim’s network.
And when it comes to cyber and network security, most nonprofits are uniquely constrained by several factors when it comes to funding security efforts, regardless of whether it is a hyper-local organization operating on a shoestring budget or a global operation with tens of thousands of staff, supporters, donors, and volunteers. Any revenue generated by or for a nonprofit is typically assigned to efforts that further the organization’s overall mission—whether that is for construction of a new food bank or hospital, purchasing medical supplies, paying for trips to remove land mines from an area, or many other noble goals.
What these funds are usually not earmarked for is firewall maintenance or salary for an IT security expert, often resulting in a weak system that can leave information and funds vulnerable.
A weak system doesn’t mean that it’s necessarily a high target anymore.
So, for actors motivated beyond financial incentives—such as nation-state actors or people inspired by politics, extremism, or hate—this places nonprofits targets in a tough situation, notes Adrien Ogée, chief operations officer of the CyberPeace Institute, a nonprofit based in Switzerland that provides cybersecurity support to NGOs.
“(Nonprofits) collect, process, transfer, and house a lot of sensitive data about their activities and the vulnerable communities they protect—think of migrants, political activists, dissidents—and they raise funds,” Ogée says.
And those funds are not insignificant. In 2022, the United States generated $499.33 billion in charitable funds, with the largest source of giving (64 percent, or $319.04 billion) being donations from individuals, according to the Double the Donation database.
“On the other side, the ability of nonprofits to protect themselves is pretty much the lowest you can find across industry ranges,” Ogée says.
Another attractive aspect to attackers targeting nonprofits is that some organizations—especially those serving in certain areas or supporting certain marginalized communities—might be less likely to seek or receive support from authorities or law enforcement, according to Ogée. For example, a nonprofit that supports refugees or the LGBTQ+ community is unlikely to receive support from government agencies in nations with policies that are unfriendly to those populations.
A nonprofit’s key constituency or mission could also be targeted by hateful individual actors seeking to disrupt the victim’s operations. “There’s a lot of hateful people out there who for whatever reason or not disagree with what the philosophy might be,” notes Leibel Garelik, chief security officer for Chabad-Lubavitch, a religious support organization for Orthodox Judaism and its facilities. “We have threat vectors from all different walks of life. We have a lot of people that don’t like us for whatever reason. …It’s kind of a 360-situation, so we kind of just have to deal with it as it comes.”
Ogée worries that attackers will realize the combination of potentially significant funds but poor security or support within nonprofits. “For criminals, unfortunately (nonprofits) make for more and more interesting prey because they have a very limited ability to protect themselves, which means the chances of the success of an attack are higher,” Ogée adds.
This combination also feeds into the likelihood that an organization will pay the ransom—a key determinant in targeting and negotiating with ransomware victims, notes Stifel. “It’s really kind of about how much money might be in the bank and how critical are the services that the organization offers,” Stifel says, adding that hospital systems or similar groups offer critical services to people, making them attractive targets.
Beyond the motivations of a ransomware attack, most incidents are similar: a user discovers that dreaded message informing the organization that the network has been encrypted by an attacker and a phone number is provided so the organization can arrange a ransom payout or risk the data being either lost or published.
The ability of nonprofits to protect themselves is pretty much the lowest you can find across industry ranges.
A nonprofit client of the CyberPeace Institute—Ogée did not directly identify it but did acknowledge that this global group supports orphans—recently faced a ransomware attack, and attackers demanded a large amount of money in exchange for decrypting files that included children’s photographs, medical files, and other information.
Negotiations with the attackers quickly revealed that the attackers were unaware that the target was a nonprofit, and the CEO explained that the amount the attackers were demanding would effectively shut down the organization. The criminals then said, “Don’t worry. We have a discount for nonprofits,” Ogée recalls.
This behavior indicates that ransomware groups are becoming increasingly professionalized with a level of organization that extends to pay tiers for victims. “They run like companies, and they’re seeing nonprofits as legitimate targets, which for me is a huge point of concern,” Ogée says.
While organizations might be traditionally constrained in creating or retaining in-house cybersecurity experts or teams, proper defense “doesn’t mean that it has to come with a high cost,” notes Stifel, who helped create the Ransomware Task Force in December 2020. Between then and April 2021, she and a team of ransomware and cybersecurity experts and stakeholders developed a set of recommendations to help organizations prepare for attacks, better respond to incidents, promote deterring ransomware, and encourage cooperation between governments and the private sector.
“There are a number of resources available online…that organizations large and small can use to improve their security,” Stifel says. One free resource she recommends comes from the Global Cyber Alliance—a cybersecurity toolkit for mission-based organizations. Another is the IST’s action plan, Blueprint for Ransomware Defense, which provides guidance for before, during, and after a ransomware attack for small and medium-sized businesses.
Taking accountability for these attacks, instead of trying to sweep them under the rug, is another way that nonprofits can begin to shift the larger culture around these attacks, according to Ogée.
Historically, accountability has been an issue for nonprofit victims of cyberattacks because the organization might fear the loss of support from staff, donors, volunteers, or other partners. On top of this, there is the financial concern that an organization may have to pay a significant fine if a government agency determines that the organization was not well-defended or was not forthright in reporting the incident.
By instead speaking up and taking accountability for an incident, Ogée hopes that the publicity will generate awareness among nonprofit organizations and their supporters that these attacks are more of a matter of when rather than if, and that the attention will also foster understanding and continued support for security for nonprofits.
Sara Mosqueda is associate editor for Security Management. Connect with her on LinkedIn or via Twitter.