Accenture officials are saying they staved off a ransomware attack this week by a cybercriminal ring using the LockBit malware even as the hacker group claimed to have captured data from the massive global IT and business consulting firm and has threatened to release it.
A CNBC reporter on Aug. 11 sent out a series of Tweets noting that the group had posted on the Dark Web that it was proposing selling insider information from Accenture to interested parties and apparently taunting the company, writing that “these people are beyond privacy and security. I really hope that their services are better than what I saw as an insider. If you’re interested in buying some databases, reach us.”
However, in a statement released to journalists, Accenture executives said that “through our security controls and protocols, we identified irregular activity in one of our environments. We immediately contained the matter and isolated the affected servers. We fully restored our affected servers from back up. There was no impact on Accenture’s operations, or on our clients’ systems.”
Accenture is a Big Target
The company, which racked up $44.3 billion in revenue during its fiscal year 2020, has declined to comment on whether it saw the ransomware-as-a-service (RaaS) attack as an insider job or how many of their systems were impacted. Cybercrime intelligence firm Hudson Rock wrote on Twitter that the attack compromised 2,500 computers belonging to Accenture and its partners.
According to security research firm Cyble, the hacker group is saying it has captured 6 terabytes of data from Accenture and is demanding a $50 million ransom. There’s been no proof of data that has been stolen. Initially the group posted a countdown clock on the Dark Web that was to expire Tuesday, at which time data would be released to the public.
However, Cyble noted on Twitter that the release time apparently was postponed on Wednesday.
There are a number of questions that still need to be answered, including how the bad actors were able to enter Accenture’s systems or when the attack took place. Accenture executives have not commented beyond the initial statement put out.
Justin Wray, director of operations and security at Core BTS, a managed service provider, told eSecurity Planet that it shouldn’t come as a surprise that Accenture is releasing little information.
“This is par for the course, as it is not common for organizations to share extensive detail after a ransomware or cyberattack,” Wray said. “We may learn more given strict reporting requirements about attacks involving certain types of data, but we are still early in the sequence of events.”
Accenture is a huge firm with a wide reach around the world. The company has about 537,000 employees and 185 partners, with 6,000 customers in more than 120 countries.
Further reading: How Zero Trust Security Can Protect Against Ransomware
Trends in Ransomware
The attack on the company highlights trends experts are seeing in the cybercrime world, including the increasing use of RaaS and the growing focus by hackers to focus on fewer large targets – a category Accenture fits in – that could bring in a greater financial return.
A report in June by cybersecurity company McAfee found that bad actors are moving away from mass multi-target ransomware attacks that involve a lot of effort and smaller financial results and leaning more on RaaS and leveraging customized ransomware in their attacks on the larger companies. At the same time, McAfee researchers since about 2019 also have seen a rise in the use of leak sites, which cybercriminals use to publish seized data from companies.
Leak sites are part of a larger strategy that hackers are leveraging. Rather than using ransomware to encrypt a company’s data and demanding payment in return for a decryption key, they now are more often including extortion in their threats, capturing the data and saying they will publish it if the ransom isn’t paid.
In addition, cybercriminals over the past few years have ramped up their attacks on companies like Accenture, which have a lot of clients and can be used as an avenue into the IT environments of those clients.
LockBit Filling a Vacuum
According to a blog post by cybersecurity vendor Cybereason, LockBit is a ring of bad actors that are similar to such high-profile cybercriminal groups like REvil and DarkSide – both of which in recent weeks reportedly have shut down their operations – in its use of the RaaS model in that it offers its platform for others to use. The LockBit ransomware may be released to LockerGoga and MegaCortex malware families, sharing such techniques as being able to automatically propagate to other targets, according to Cybereason.
The LockBit ransomware first emerged in 2019 and may be increasing in use to fill the void left by the closing down of the REvil and DarkSide operations. Cybercrime gangs have reportedly been using the LockBit 2.0 ransomware to try to recruit corporate insiders who can help them breach their companies’ networks, promising those insiders payouts of millions of dollars.
Further reading: Startup Sees File System as Key to Security
Responding to a ransomware attack isn’t easy and it can have far-reaching impacts. According to a Cybereason report in June, 66 percent of companies attacked have seen significant revenue losses and 53 percent said their brands and reputations were damaged. In addition, 26 percent said they had to close down their business for periods of time and 35 percent said they paid the ransom, which ranged from $350,000 and $1.4 million. For most companies, paying the ransom opened them up to being attacked again.
“While an important factor of ransomware recovery is to get – and restore – your encrypted data from backups, that’s only the beginning,” Core BTS’ Wray said. “Restoring your data doesn’t help if the adversaries have taken your data and decide to leak it. It also does not solve the root problem.”
Accenture Got Backup Right
It’s important for companies to “ensure your restore point is clean from any type of compromise or external access,” he said. “Backups do not prevent data theft, so it is important to ensure adversary access is removed and that you do not put a compromised system back into your environment. Additionally, you must address the security gap through which adversaries entered.”
According to Hitesh Sheth, president and CEO of Vectra, a cybersecurity company that leverages artificial intelligence (AI) in its portfolio, Accenture officials initially appeared to have made the right moves when they learned about the ransomware attack.
“First reports suggest Accenture had data backup protocols in place and moved quickly to isolate affected servers,” Sheth told eSecurity Planet. “It’s too soon for an outside observer to assess damage. However, this is yet another reminder to businesses to scrutinize security standards at their vendors, partners and providers. Every enterprise should expect attacks like this – perhaps especially a global consulting firm with links to so many other companies. It’s how you anticipate, plan for and recover from attacks that counts.”
Howard Ting, CEO of data detection and response platform maker Cyberhaven, told eSecurity Planet that with data proliferating across the supply chain, technology stack and partner ecosystem, it’s increasingly important for organizations to demand vendors and suppliers implement effective data security controls.
“Just think about the orders-of-magnitude increase in insider threat risk that comes with the adoption of SaaS [software-as-a-service] and cloud services,” Ting said. “DPAs [data processing agreements] do more to mitigate legal and compliance risk than actual data risk today. Organizations need to be asking their vendors and service providers the hard and specific questions concerning how their data is protected.”