Protecting NGOs from Digital Risks such as Ransomware and Cyber Extortion
Ransomware and data exfiltration continue to represent formidable and ever-present cybersecurity threats for international non-governmental organizations (NGOs). These malicious activities not only disrupt an NGO’s operations but also compromise sensitive information. This can erode the trust of donors, beneficiaries, and partners. In this article, we discuss what ransomware and cyber extortion attacks are; why NGOs should focus on risk mitigation to prevent cyber-attacks of this nature; we present case studies of NGOs and charities that have been impacted by cybercrime in recent times and the effect that had; and we discuss ways and strategies for NGOs to manage and mitigate digital risks using tried-and-tested approaches and international standards. Understanding Ransomware and Cyber Extortion Ransomware is a type of malicious software designed to block access to a computer system, data or service. This is achieved by a cyber threat actor encrypting files until a ransom is paid. Attackers will typically demand payment in cryptocurrencies with the promise to restore access to a system once the ‘ransom’ payment is made. Cyber extortion encompasses a broader range of threats. Typically, cyber extortion will occur where cybercriminals demand payment by threatening to publicly release sensitive data, disrupt services, or cause reputational damage if payment is not made. Methods of cyber extortion include ransomware attacks, data exfiltration and subsequent threat of releasing that information, ‘doxing’ of an individual, or extortion tactics such as Distributed Denial-of-Service (DDoS) attacks. Why NGOs would want to Prevent Ransomware and Cyber Extortion Like all organisations, it would be highly prudent for NGO’s to prevent ransomware and cyber extortion attacks. In the case of NGO’s, given the critical nature of many NGO operations, the need to prevent and respond to cyber incidents is even more critical. These reasons will centre on operational viability, reputational integrity, and mission fulfilment and include: Protection of Sensitive Data: NGOs will generally manage sensitive personal data, including information about beneficiaries, donors, employees, and vulnerable populations. A ransomware or data exfiltration incident could lead to exposure of personal and confidential information, violation of national and regional privacy laws and will inevitably cause harm to the individuals that an NGO serves. Preserving Donor Trust and Public Confidence: Trust represents a cornerstone of donor relationships. Any compromise in data security can undermine confidence in the NGO’s ability to safeguard financial contributions and personal data and may dead to a decline in donations and long-term funding because of reputational harm. Additionally, NGOs depend heavily on public goodwill. A successful cyberattack can lead to negative media coverage, damage long-standing reputations and affect partnerships with governments, other NGOs, and international agencies. Ensuring Continuity of Operations: Ransomware often disables critical systems and data access, severely disrupting on-the-ground activities such as humanitarian aid delivery, healthcare or educational services and emergency response coordination. As such, prevention of cyber-attacks represents a top organisational risk management outcome for NGOs to ensure that its mission remains unhindered. Financial Implications: cyber extortion can result in costly ransom payments which often do not guarantee data recovery. Ransom payments can advance the interest of criminal enterprises including areas such as people trafficking, slavery and the drug trade and many nation states are considering banning the payment of ransoms, or at the very least reporting ransom payments to law enforcement. Additionally, significant recovery costs can ensure because of digital forensics, system restoration and PR crisis management services needed to be engaged in the aftermath of a cyber-attack. Legal Implications: Legal liabilities and regulatory fines related to mandatory national notification requirements will almost certainly ensure. Most nation states now have data breach notification laws in place. These include the European Union’s GDPR; state and federal laws in the United States; Canada’s PIPEDA; Australia’s Privacy Act; Brazil’s General Data Protection Law; Japan’s Act on the Protection of Personal Information (APPI); China’s Personal Information Protection Law (PIPL); and India’s Digital Personal Data Protection Act (DRDPA). Notable Attacks on NGOs and Charities Because of their visible and high-profile nature, NGOs and charities have increasingly become targets of ransomware and cyber extortion. Several high-profile examples are listed here. Blackbaud Ransomware Incident (2020): In May 2020, Blackbaud, a cloud service provider for nonprofits, fell victim to a ransomware attack. The attackers were able to access and exfiltrate data from numerous organizations, including donor information such as bank account details and U.S. social security numbers. Blackbaud later settled a complaint brought by the U.S. Federal Trade Commission in February 2024 as a result of ‘poor data practices.’[1] Save the Children International (2022) Data Exfiltration Incident: The organization confirmed a cyberattack after a ransomware group claimed to have breached its systems. The attackers alleged they had stolen over 6.8 terabytes of data, including financial records, email messages, and personal data such as medical and health information.[2] Albyn Housing Society Attack (2024): In August 2024, Albyn Housing Society, one of Scotland’s largest housing charities, suffered a cyberattack by the ransomware gang RansomHub. The attackers released 10 gigabytes of sensitive data, including staff payroll and tenant information, on the dark web. The charity worked closely with Police Scotland and cybersecurity agencies to mitigate the impacts. [3] Evide Data Breach (2023): Evide, a data management company serving charities across Ireland, experienced a ransomware attack that led to the compromise of sensitive data from about 140 organizations, including some that were supporting survivors of sexual abuse. The breach raised significant concerns about data protection practices among service providers to NGOs.[4] International Committee of the Red Cross (ICRC) Data Breach (2022): A cyberattack on a contractor used by the ICRC compromised personal data of over 515,000 vulnerable individuals from at least 60 Red Cross and Red Crescent National Societies worldwide. The breach heightened concerns about the safety and privacy of affected individuals.[5] Mitigating Ransomware and Cyber Extortion Incidents Using Proven, International Risk Management Approaches To mitigate Ransomware and data exfiltration threats, NGOs can adopt internationally recognized risk management standards, particularly ISO/IEC 27001, ISO 31000, and ISO/IEC 42001, as foundations for building resilient and secure information environments. These three standards address the areas of
