Exactly two years ago, it was February 7, 2020, a ransomware group entered the servers of Blackbaud Inc. exfiltrating millions of sensitive data from hospitals, educational institutions and nonprofit organizations in the US, Canada, New Zealand, UK, Ireland, Netherlands, Hungary.
After more than three months, on May 20 of the same year, the IT department of Blackbaud (an American multinational, world leader in the cloud computing sector), realizes that someone had broken into their servers. On July 16, after a further month of waiting, Blackbaud finally decides to send the first, partial and incorrect, notifications to the entities involved. A second notification to the affected entities will be sent at the end of September, after another two months of waiting.
In this last communication we learn the seriousness of the facts and what data the ransomware group had really come into possession.
SuspectFile has followed this story very closely, collecting tens of thousands of data for over a year on 466 educational institutions of all levels around the world. A loss of data for the educational sector alone that affected over 7,984,000 people, a figure that SuspectFile was able to establish with certainty after having cross-referenced thousands and thousands of data collected through the institutional sites of K-12, Colleges and Universities and those present on the sites of the US Attorneys General and of the other countries involved.
Unfortunately, this figure is still partial today as more than half of the entities concerned did not provide numerical data either to the General Prosecutors of the respective States, nor to us. Blackbaud for his part preferred to pay a millionaire ransom to the group of cybercriminals, thus avoiding both the disclosure and the sale of the exfiltrated data on the darkweb. A further reason that may have prompted the multinational to give in to blackmail may have been to avoid a probable financial meltdown by choosing the lesser evil for this: to pay a certainly lower amount than what it would have risked paying if it had been sued in court. hundreds of civil cases.
According to SuspectFile, the total number of people affected by the 2020 data breach could be close to 30 million.
Today the group of cybercriminals LockBit published on its website, within the TOR networks, the name of a University of Michigan, the University of Detroit Mercy. A name that immediately seemed familiar to us.
We then went to resume our table with the 466 educational institutions and we found that his name was present in the “Blackbaud data breach” with 34,675 people involved in the theft of sensitive data
We wondered if the data that LockBit claims to have exfiltrated was new or if it was data that dates back to two years ago.
After writing an email to the University of Detroit Mercy asking for a statement on the matter, we also wanted to ask some questions directly to the LockBit ransomware group. A group of cybercriminals, as is well known, not very inclined to converse with researchers and journalists.
We asked two questions, in the first we wanted to know if the data exfiltrated at the University of Detroit Mercy was two years old or if it referred to recent data. We then asked a second question about the true identity that hit Blackbaud in 2020. Our belief has always been that Maze hit the American multinational and that LockBit is nothing more than a “restyling” of the group.
LockBit replied that the data was new, it could not have answered differently … Regarding the new identity, it initially hesitated, at our second request it replied with a “lol” and then with a “no”.
We report the most important parts of the chat with LockBit
Marco – “You have published the Uni of Detroit Mercy profile on your website. A victim already hit in February 2020 (Blackbaud data breach) by another group https://www.suspectfile.com/blackbaud-data-breach-university-college -k-12-third-part /
What I’m wondering is if whoever hit it in 2020 (Maze) is the same one who hit it in 2022 (LockBit)”
LockBitSupp – “and?
we can hit every day “
Marco – “I want to know if like two years ago it hit the Uni Detroit Mercy or the data are the old ones from 2020 and of course if what I’ve been thinking for two years, your old look was Maze”
LockBitSupp – “its fresh data”
Marco – “ok for the first question, the second question?”
LockBitSupp – “what?”
Marco – “and of course if what I’ve been thinking for two years, your old look was Maze”
LockBitSupp – “lol
We cannot know if what is stated by LockBit is true, which is why it would be important for the Marketing & Communications Department to respond to our e-mail.
We will update the article in case of new information.