The LockBit 2.0 ransomware attack against Accenture - time is running out


Global consulting giant Accenture was recently hit by a ransomware attack, and its systems were infected with the LockBit 2.0 ransomware.

The company reported revenues of $44.33 billion in 2020 and had 569,000 employees across 50 countries.

LockBit 2.0 ransomware operators initially announced the data breach on their leak site but did not share any files as proof of the attack.

“These people are beyond privacy and security. I really hope that their services are better than what I saw as an insider. If you’re interested in buying some databases, reach out to us,” reads the announcement published on the leak site.

ADVERTISEMENT

Researchers from the threat intelligence firm Cyble revealed that the ransomware operators have stolen databases containing over 6 TB of data and are demanding a $50 million ransom from the company. The experts also speculate that an insider had helped the gang in gaining access to the network of the consulting firm.

The countdown displayed on the leak site immediately after the disclosure of the attack was set up for August 11, 2021 (at 5:30 PM) and the group threatened to publish files allegedly stolen from the company.

Immediately after the countdown had expired, the ransomware gang published a small set of stolen data composed of 2,384 items. The leaked files include PDF documents allegedly stolen from the company that appeared as general marketing material.

Countdown on the data leak site: "Encrypted files are published"
Image: countdown on the data leak site

Initial set of data published by the LockBit 2.0 group
Image: initial set of data published by the LockBit 2.0 group

Later, the ransomware operators removed the above files and postponed the countdown to August 18, 2021 (at 11:43).

ADVERTISEMENT
Ransomware countdown postponed to August 18

The delay in the publishing of the stolen data could suggest two scenarios:

  • The ransomware operators have started a negotiation with Accenture in order to avoid the stolen data being published.
  • Ransomware operators did not steal sensitive data from Accenture during the attack and are using the story to increase their visibility in the threat landscape.

It is not clear how the ransomware gang breached the company and when the security breach took place.

The company declared to have isolated the infected servers and restored impacted systems from its backups.

“Through our security controls and protocols, we identified irregular activity in one of our environments. We immediately contained the matter and isolated the affected servers,” Accenture said in a statement.

“We fully restored our affected systems from backup, and there was no impact on Accenture's operations, or on our clients' systems.”

Sources familiar with the security breach told BleepingComputer that the company had confirmed the ransomware attack to at least one CTI vendor and it is also in the process of notifying more customers.

Ironically, in a report published by Accenture, the company said that 54% of all ransomware or extortion victims were companies with annual revenues between $1 billion and $9.9 billion.

ADVERTISEMENT

Security firm Hudson Rock revealed that Accenture had 2,500 computers belonging to employees and partners compromised before the attack that could have been leveraged for initial access.

Recently, the Australian Cyber Security Centre (ACSC) has warned of escalating LockBit 2.0 ransomware attacks against Australian organizations starting July 2021.

“The ACSC is aware of numerous incidents involving LockBit and its successor 'LockBit 2.0' in Australia since 2020. Most victims known to the ACSC have been reported after July 2021, indicating a sharp and significant increase in domestic victims in comparison to other tracked ransomware variants,” states the alert published by ACSC.

“The ACSC has observed LockBit affiliates successfully deploying ransomware on corporate systems in a variety of sectors, including professional services, construction, manufacturing, retail and food.”

TrendMicro researchers also reported a surge in LockBit 2.0 attacks. Most of the attempts were against organizations in Chile, Italy, Taiwan and the U.K.

“In contrast to LockBit’s attacks and features in 2019, this version includes automatic encryption of devices across Windows domains by abusing Active Directory (AD) group policies, prompting the group behind it to claim that it’s one of the fastest ransomware variants in the market today,” states the report.

“LockBit 2.0 prides itself on having one of the fastest and most efficient encryption methods in today’s ransomware threat landscape. Our analysis shows that while it uses a multithreaded approach in encryption, it also only partially encrypts the files, as only 4 KB of data are encrypted per file.”

Experts also pointed out that the ransomware operators also spent a significant effort to recruit insiders from within targeted organizations.

Concluding, it is easy to predict a spike in LockBit 2.0 infections in the next few weeks. When it comes to the attack on Accenture, time is running out, we can only sit and wait for other data leaks.

ADVERTISEMENT