Accenture suffered a LockBit ransomware attack that reportedly encrypted at least 2,500 computers and leaked client information.
Earlier this month, LockBit threat actors posted the company’s name and logo on their dark web site, threatening to publish the data stolen during the Accenture ransomware attack. The ransomware group also derided Accenture’s security practices, describing them as “beyond privacy and security.”
LockBit ransomware operators later published part of the stolen data, but Accenture downplayed the incident.
LockBit used a malicious insider or exploited well-known vulnerabilities
Accenture has not disclosed how the LockBit ransomware gang infiltrated its systems or the scope of the ransomware attack.
However, the ransomware gang claims it compromised Accenture through an insider, but many experts dispute the claim given the scale of the attack.
Australian Cybersecurity Centre (ACSC) had issued an alert on August 6, 2021, over the increasing activities of the LockBit 2.0 ransomware group. Australia is a member of the Five Eyes alliance that monitors transnational cyber threats alongside the US, UK, Canada, and New Zealand.
ACSC disclosed that the ransomware-as-a-service (RaaS) operator was exploiting Fortinet FortiOS and FortiProxy vulnerabilities (CVE-2018-13379).
The group was also actively recruiting corporate insiders to facilitate its ransomware attacks in exchange for millions of dollars. The ransomware gang also sought partners to provide Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) exploits for initial access and Cobalt Strike and Metasploit for threat emulation.
According to Emsisoft, the group boasts of the fastest data exfiltration system, StealBit, capable of downloading 100GB of data.
LockBit was responsible for the UK railway operator Merseyrail compromise through the director’s Office365 account, causing mild disruptions in April 2021.
“This particular example with Accenture is interesting in the fact that it was a known/published vulnerability,” said Ron Bradley, VP at Shared Assessments. “It highlights the importance of making sure systems are properly patched in a timely manner. The ability for Accenture to manage the repercussions of potentially stolen data will be an important lesson for many organizations going forward.”
LockBit ransomware attack had no impact on Accenture operations
The consulting firm with about 569,000 employees globally acknowledged the early August ransomware attack. However, it downplayed the impact of the LockBit ransomware attack.
“Through our security controls and protocols, we identified irregular activity in one of our environments. We immediately contained the matter and isolated the affected servers,” Accenture said in a statement. “We fully restored our affected systems from backup, and there was no impact on Accenture’s operations or on our clients’ systems.”
However, Accenture was in the process of notifying its clients of the ransomware attack that reportedly compromised 2,500 computers, according to Hudson Rock.
“First reports suggest Accenture had data backup protocols in place and moved quickly to isolate affected servers,” Hitesh Sheth, President and CEO at Vectra. “It’s too soon for an outside observer to assess the damage. However, this is yet another reminder to businesses to scrutinize security standards at their vendors, partners, and providers. Every enterprise should expect attacks like this – perhaps especially a global consulting firm with links to so many other companies. It’s how you anticipate, plan for and recover from attacks that counts.”
LockBit ransomware group demands $50 million in ransom payment
Ridiculing Accenture’s security practices, the ransomware group invited parties interested in the stolen data to contact them.
“These people are beyond privacy and security. I really hope that their services are better than what I saw as an insider,” LockBit ransomware wrote on its data leak site. “If you’re interested in buying some databases reach us.”
The threat actor did not provide any evidence of the stolen data. However, the Cyble research team said that the ransomware gang stole 6 terabytes of data and demanded $50 million in ransom payment.
The group usually demands an average of $85,000 from its victims, mostly of tech companies. Accenture had earlier noted that the group primarily targets companies with annual revenues of between $1 billion to $9 billion. Accenture earned about $44 billion from the 50 countries it operates in.
The group later published a folder named W1 containing PDF documents allegedly stolen from Accenture, according to Security Affairs. The group later postponed the availability of the stolen data to August 12, suggesting that more data was on the way or the group was open to negotiations.