Ransomware Group Demanding $50M In Accenture Security Breach: Cyber Firm

Accenture is not confirming the ransom demand. ‘At the end of the day, paying the ransom is never a good idea,’ one solution provider CEO told CRN.

The hacker group behind a ransomware attack on global solution provider giant Accenture has made a ransom demand for $50 million, according to a cybersecurity firm that reports seeing the demand.

The threat actor is demanding the $50 million in exchange for more than 6 TB of data, according to a tweet from Cyble, a dark web and cybercrime monitoring firm.

[Related: Accenture LockBit Ransomware Attack: 5 Things To Know]

On Thursday, Accenture said it did not have any updates to its statement—and referred CRN to a statement provided on Wednesday saying that it “contained the matter and isolated the affected servers” and that “there was no impact on Accenture’s operations, or on our clients’ systems.”

In the attack disclosed on Wednesday, the hacker group reportedly used LockBit ransomware to target Accenture, which is No. 1 on CRN’s Solution Provider 500 for 2021. LockBit, according to New Zealand-based cybersecurity company Emsisoft, is a strain of ransomware that prevents users from accessing infected systems until a ransom payment is made.

The incident follows the July attack on Kaseya by ransomware operator REvil, which included a $70 million demand to decrypt victim files. Kaseya later said it obtained a REvil ransomware decryptor, but did not pay the ransom.

If a ransom demand to Accenture has in fact been made, one solution provider executive said he hopes Accenture refuses to pay it.

“At the end of the day, paying the ransom is never a good idea,” said Douglas Grosfield, founder and CEO of Kitchener, Ontario-based Five Nines IT Solutions, in an interview with CRN. “The majority of folks that do end up paying the ransom don’t necessarily get all of their data back. And what you do get back, you can’t trust. There could be a payload there—a ticking time bomb—that will make it easier for the perpetrators to get in again.”

Ultimately, Grosfield said it’s “no surprise” to see ransomware groups going after IT service providers such as Accenture.

“The only surprise is that it took the bad guys this long to figure out that service providers are a pretty juicy target,” he said.

The Accenture incident is a reminder of the axiom “physician, heal thyself”—that IT service providers need to ensure that their own systems are secure in order to remain credible in recommending security measures for their own customers, Grosfield said.

“If you’re not well protected, then you’re not well positioned to be able to protect others,” he said.

In its statement Wednesday, Accenture said that “through our security controls and protocols, we identified irregular activity in one of our environments.” After containing the ransomware incident and isolating impacted servers, “we fully restored our affected servers from back up,” Accenture said.

VX Underground, which claims to have the Internet’s largest collection of malware source code, on Wednesday tweeted a timer supposedly from the hacker group showing the amount of time before the attack on Accenture’s data would start. The time on the timer eventually passed.

However, on Wednesday, a CNBC reporter said that the hackers behind the Accenture attack did end up publishing more than 2,000 files to the dark web, including PowerPoint presentations and case studies.

VX-Underground tweeted that the LockBit ransomware group released 2,384 files for a brief time, but those files were inaccessible because of Tor domain outages probably due to the high traffic. The organization said there is more to come as the LockBit attack clock was restarted with a new date of Aug. 12, 2021, 20:43 UTC, or 4:43 p.m. ET Thursday.

Accenture CEO Julie Sweet, talking with investors in June 2021 during the company’s fiscal third quarter call with analysts, said her company has a strong focus on security.

Accenture has seen double-digit growth which was driven by advisory, cyber defense and manage security services, Sweet said. With its recent acquisition of Novetta, which serves U.S. federal organizations, Accenture can scale and diversify across federal business, specifically in the national security sector, which Sweet said is experiencing substantial growth.

More than one third of all organizations globally have experienced a ransomware incident over the past 12 months, according to research firm IDC, which disclosed the findings from a new survey on ransomware attacks Thursday.