Cyber Threat Actor: Blackbaud Hackers
| Actor Type | Location | Known Incidents |
Criminal
|
United States of America
|
13 incidents |
|---|
Profile
Blackbaud, also tracked as Blackbaud Hackers, is a threat actor identified in open‑source reporting as operating from the United States of America. The actor is primarily known for conducting ransomware operations against the cloud services provider Blackbaud, which in turn affects the provider’s customers across various sectors. No additional aliases or geographic details beyond the stated U.S. location are provided in the source material.
The actor’s targeting pattern shows a focus on organizations that rely on Blackbaud’s fundraising and data management platforms, including healthcare systems, universities, charitable foundations, and nonprofit entities. Victims have been observed in both the United States and the United Kingdom, indicating a transnational scope. The consistent demand for ransom payments and the actor’s willingness to pay for assurances of data deletion point to a financially motivated objective rather than espionage or disruption, as no evidence of state sponsorship or ideological goals is cited in the available reports.
Typical tactics involve gaining initial access through vulnerabilities in Blackbaud’s third‑party software infrastructure, deploying ransomware to encrypt systems, and exfiltrating backup databases containing personal information. The actor does not appear to rely on a specific named malware family in the disclosed incidents; instead, the emphasis is on exploiting the vendor’s supply chain to reach downstream victims. After intrusion, the actor typically seeks a ransom payment and claims to have destroyed the stolen data, a pattern repeated across multiple compromises.
Representative operations include the May 2020 ransomware event that impacted De Montfort University, Sheffield Hallam University, and the MetroHealth Foundation, the February 2020 incident affecting Northwestern Memorial HealthCare and Inova Health Systems, the September 2020 attack on UK universities such as the University of Reading and the University of Cumbria, and the December 2020 breach at Ronald McDonald House Charities that exposed nearly eighteen thousand guest records. These cases illustrate the actor’s recurrent use of ransomware against a cloud service provider to harvest personal data from a broad range of sector‑specific targets.
