Accenture is, reportedly, the latest company to fall victim to a ransomware attack by the LockBit ransomware gang. Reports of the attack became public yesterday when the name of the company was published on the blog of the LockBit ransomware cartel, according to CNBC reporter Eamon Javers.
However, in an emailed statement to The Record, the global business consulting firm majorly “downplayed” the ransomware attack, stating that the incident did not affect their clients or their operations and all their affected systems have already been restored from backups. Although, a tweet put out by a cyber-intelligence firm, Hudson Rock, claims that the attack compromised 2500 computers of employees and partners.
As mentioned before, the attack on the Fortune 500 company was allegedly carried out by LockBit 2.0 ransomware operators. The gang claimed that they gained access to the company’s internal network and were preparing to leak the stolen data. On the LockBit dark web page, the hackers had set a countdown to 17:30:00 GMT on 11th August, at the end of which the stolen files would be published.
The site also had a message directed towards Accenture, which read:
“These people are beyond privacy and security. I really hope that their services are better than what I saw as an insider. If you are interested in buying some databases, reach us”
The first part of the message was clearly the hackers taking a shot at what they deemed to be Accenture’s poor security. Other than the part about the hackers putting the databases up for sale, the one thing that stands out is the possibility of the attack being an inside job.
Details of the Accenture ransomware attack
During the initial countdown, the group did not share any kind of proof that they were, in fact, in possession of said databases and files. At the end of the countdown, Security Affairs reported that there was a folder published with the name ‘W1’.
According to The Record, a cursory review of the leaked files in the folder showed that there was no sensitive information leaked. The folder only contained some product brochures, employee training courses and various marketing materials from Accenture.
But the question remains – How did LockBit gain access to the internal network of one of the biggest companies in the world? Accenture is a business consulting company that is employed by some of the most powerful companies in the world. Their clients include 94 of the Global Fortune 100 companies and more than 3/4th of the global Fortune 500 companies. Their client list includes the likes of Google, Alibaba, IBM, and many more. Ironically, Accenture is also a global leader in the Cyber-Insurance market.
To add to the bad publicity, Cyble, an Atlanta-based cybersecurity firm, believes that this may be an inside job.
An unconfirmed source on Twitter has also stated that this might be an inside job from a person who is, allegedly, still employed by the company.
According to Bleeping Computer, “sources familiar with the attack” have stated that Accenture has confirmed the news of the data leak to at least one Computer Telephone Integration (CTI) vendor, and are currently in the process of notifying more customers about the leak.
LockBit
LockBit is the latest threat in a long line of organizations focusing on a ransomware-as-a-service (RaaS) model. They follow in the footsteps of many gangs like DarkSide or REvil. The RaaS model basically divides the ransom payment or the “foreclosure amount” between the “customer” who is directing the attack and, in this case, the LockBit gang.
LockBit has the ability to automatically propagate to new targets. This is why it is used in more targeted attacks rather than indiscriminately spamming organizations with random attacks. This is clearly evident in the case of Accenture since the message on the dark web page seems very personalized.
According to Lawrence Abrams from Bleeping Computer, computers affected by a LockBit attack now display wallpapers that openly call for employees to side with them in their operations.
In the wake of DarkSide and REvil shutting down their operations, LockBit has really stepped up their game to fill up the space cleared out by the others. In recent times, the Australian Cyber Security Centre (ACSC) reported that there has been a substantial rise in the operations of LockBit. The ACSC also noted that it has observed LockBit threat actors actively exploiting vulnerabilities across multiple industries as well.
2021 has been a year where ransomware seems to be a very regular, everyday occurrence. Ransomware has become one of the most prevalent methods amongst cybercriminals. There are more than 100 ransomware attacks recorded in this year alone. This includes a lot of high-profile ones like EA, Saudi Aramco, Gigabyte, etc.
Ransomware should definitely be taken more seriously, especially by companies like Accenture, since the amount of data handled by companies of such stature would be dangerous in the wrong hands. Fujifilm is one company that effectively tackled a ransomware attack against them, and that should be the general standard for all companies to protect themselves from being extorted.
As for the current scenario, it is still not clear what LockBit will do with the 6TB of data that they allegedly possess. But it is clear that the situation is not how Accenture portray it to be, and it is yet to be seen how the situation will pan out.