Accenture Knew About Ransomware Attack In Late July: Report
The solution provider giant reportedly said in a memo that it noticed the LockBit attack on July 30—but while some client material was stolen, none was considered highly sensitive.
Accenture spotted the LockBit ransomware attack on its systems as far back as July 30 and found that hackers had stolen documents referencing clients, as well as work materials created on clients’ behalf, according to a report from cybersecurity news site CyberScoop.
The publicly traded IT consultancy, which is No. 1 on CRN’s Solution Provider 500 for 2021, initially confirmed the ransomware attack on Wednesday after CNBC reporter Eamon Javers tweeted about the incident.
[Related: Ransomware Group Demanding $50M In Accenture Security Breach: Cyber Firm]
In a statement Wednesday, Accenture said that it had “immediately contained the matter and isolated the affected servers” and that “there was no impact on Accenture’s operations, or on our clients’ systems.” The statement did not reference when Accenture had originally learned of the ransomware attack.
CyberScoop cited an internal memo in reporting that Accenture had discovered the breach in late July, nearly two weeks before the solution provider giant publicly confirmed the ransomware attack.
The documents stolen by hackers referenced a “small number” of clients, but “none of the information is of a highly sensitive nature,” the internal Accenture memo said, according to CyberScoop’s report.
Accenture did not immediately respond to a request for comment on the CyberScoop report Thursday.
On its website, Accenture reports that its client base covers “the full range of industries around the world” and includes 91 companies in the the Fortune Global 100, along with more than three-fourths of the companies in the Fortune Global 500.
The hacker group behind the Accenture attack—which is known as LockBit 2.0, according to CyberScoop and other media outlets—reportedly used LockBit ransomware to target Accenture’s systems. The group has demanded $50 million from Accenture in exchange for 6 TB of data, according to Cyble, a dark web and cybercrime monitoring firm. Accenture has not confirmed the ransom demand.
LockBit encrypts files using AES encryption and prevents users from accessing infected systems until a ransom payment is made, according to New Zealand-based cybersecurity company Emsisoft. The LockBit ransomware uses processes that are largely automated, making it “one of the most efficient ransomware variants on the market,” Emsisoft wrote in a blog post.
In its statement Wednesday, Accenture said that “through our security controls and protocols, we identified irregular activity in one of our environments.” After containing the incident and isolating impacted servers, “we fully restored our affected servers from back up,” Accenture said.
VX-Underground, which claims to have the Internet’s largest collection of malware source code, on Wednesday tweeted a timer supposedly from the hacker group showing the amount of time before the attack on Accenture’s data would start. The time on the timer eventually passed.
VX-Underground tweeted that the LockBit ransomware group released 2,384 files for a brief time, but those files were inaccessible because of TOR domain outages probably due to the high traffic. The organization said there was more to come as the LockBit attack clock was restarted with a new time, but that time has now passed as well.
Ultimately, IT service providers need to ensure that their own systems are secure in order to remain credible in recommending security measures for their own customers, said Douglas Grosfield, founder and CEO of Kitchener, Ontario-based Five Nines IT Solutions, in an interview with CRN.
“If you’re not well protected, then you’re not well positioned to be able to protect others,” he said.
More than one third of all organizations globally have experienced a ransomware incident over the past 12 months, according to research firm IDC, which disclosed the findings from a new survey on ransomware attacks on Thursday.
In a July attack on IT management software firm Kaseya, ransomware operator REvil demanded $70 million demand to decrypt victim files. Kaseya later said it obtained a decryptor for the ransomware, but did not pay the ransom.