Accenture LockBit Ransomware Attack: 5 Things To Know

Accenture says it contained the LockBit ransomware attack, but cybersecurity industry observers say they are seeing some Accenture confidential data being released, with promises of more to come. CRN looks at what is known so far about the attack.


Accenture Hit By LockBit Ransomware Hack: Attack And Response

Accenture on Wednesday was hit by a LockBit ransomware attack, and despite saying it had contained the breach before the deadline for its confidential information was released, saw the limited release of some of its confidential information.

The incident comes on the heels of another high-profile attack targeting clients via the solution providers that they depend on for IT services. In that attack, hackers breached the VSA RMM (remote monitoring and management) technology of Miami-based Kaseya, giving them access to clients of several MSPs who depend on the Kaseya technology to run parts of their business.

While Accenture has assured customers that the attack was contained, several security industry observers say they are seeing confidential Accenture information being made public, with more expected to come.

Michael Goldstein, CEO of LAN Infotech, a Fort Lauderdale, Fla., solution provider that was affected by the recent Kaseya MSP ransomware attack, told CRN he was “stunned” to learn that Accenture was the latest victim of a ransomware attack.

“Accenture is a well-respected company that I am sure is spending an exorbitant amount of money on security,” he said. “But they have a lot of ground to cover. It’s very hard to protect a multi-national company like Accenture.”

Goldstein said the Accenture breach is yet another call to action for every company to review their security technology posture and procedures. “If a $45 billion company like Accenture is vulnerable then everyone is vulnerable,” he said.

Preparing for and responding to a cyberattack is difficult, as Accenture and so many other recent examples have shown. For a look at how the LockBit attack on Accenture happened, and at Accenture’s response and further fallout, click through the slideshow.

The Attack

The attack was first reported early Wednesday via a tweet from CNBC reporter Eamon Javers, who wrote that a hacker group on the dark web wrote, “These people are beyond privacy and security. I really hope that their services are better than what I saw as an insider. If you’re interested in buying some databases, reach us.”

The message was later amplified when VX Underground, which claims to have the Internet’s largest collection of malware source code, tweeted a timer supposedly from the hacker showing how much time before the attack on Accenture’s data starts. The time on the timer eventually passed.

The attack was a LockBit ransomware attack. LockBit, according to New Zealand-based cybersecurity company Emisisoft, is a strain of ransomware that prevents users from accessing infected systems until a ransom payment is made.

“It has been highly active since it emerged in September 2019 and has impacted thousands of organizations around the world. Many of LockBit’s attack functions are automated, making it one of the most efficient ransomware variants on the market,” Emisisoft wrote in a blog post.

The Response

Accenture claims to have contained the attack, but that claim is suspect.

Accenture, in an emailed response to a request for information from CRN, confirmed the ransomware attack, but said there was no impact on the company.

“Through our security controls and protocols, we identified irregular activity in one of our environments. We immediately contained the matter and isolated the affected servers. We fully restored our affected servers from back up. There was no impact on Accenture’s operations, or on our clients’ systems,” Accenture wrote.

However, CNBC’s Javers reported Wednesday afternoon that the hackers published over 2,000 files to the Dark Web, including PowerPoint presentations, case studies, quotes, and so on. It cited cybersecurity firm Q6 Cyber as the source. CRN reached out to Q6 Cyber, but did not receive a response by press time.

VX-Underground, meanwhile, tweeted that the LockBit ransomware group released 2,384 files for a brief time, but those files were inaccessible because of TOR domain outages probably due to the high traffic. The organization said there is more to come as the LockBit attack clock was restarted with a new date of Aug. 12, 2021, 20:43 UTC, or 4:43 ET Thursday.

What Is LockBit?

The attacker used LockBit to attack Accenture.

LockBit, according to New Zealand-based cybersecurity company and ransomware hunter Emisisoft, is a strain of ransomware that prevents users from accessing infected systems until a ransom payment is made.

“It has been highly active since it emerged in September 2019 and has impacted thousands of organizations around the world. Many of LockBit’s attack functions are automated, making it one of the most efficient ransomware variants on the market,” Emisisoft wrote in a blog post.

LockBit encrypts files using AES encryption, and typically demands a ransom in the high five-figures to decrypt the data. LockBit’s processes are largely automated, and so work with minimal human oversight once a victim is compromised, Emisisoft wrote. It can be used as the basis for a ransomware-as-a-service business model which lets ransomware developers use it in return for a portion of the ransom payments received.

Security Top Of Mind

Accenture CEO Julie Sweet, talking with investors in June 2021 during the company’s fiscal third quarter 2021 financial conference call, said her company has a strong focus on security.

Accenture has seen double-digit growth which was driven by advisory, cyber defense and manage security services, Sweet said. With its recent acquisition of Novetta, which serves U.S. federal organizations, Accenture can scale and diversify across federal business, specifically in the national security sector, which Sweet said is experiencing substantial growth.

“We’re going to make acquisitions to scale…to add new skills and opportunities,” she said. “We’ve built a lot of interactive through acquisitions [through] those renewed skills and capabilities [as well as] deepen industry and functional knowledge. This is a continuation of that. The advantage we have is our financial capacity to make investments and to increase our investment for the benefit of our clients and all of our stakeholders. When we see the right opportunities, we’re going to continue to have that discipline around making strategic acquisitions.”

Accenture Has Invested Heavily In Security

Accenture is a very acquisitive company, and in fact during last 12 months acquired over 40 companies, mostly smaller service providers but also a few big ones. Among its acquisitions in the last couple years are several security-focused companies, including:

* Novetta, a provider of data management and cybersecurity predominately to the U.S. government. Acquired by Accenture Federal Services in June 2021.

* Sentor, which offers advisory services, security testing and managed detection and incident response capabilities, all powered by a 24x7x365 Security Operations Center in Stockholm. Acquired in June 2021.

* Revolutionary Security, which offers assessment and testing services, the ability to design and build security programs and functions, as well as security operations across clients’ IT and OT systems. Acquired in April 2020.

* The Symantec Cyber Security Services Unit of Broadcom, which brought 300 employees and a managed services practice. Acquired January 2020.

* iDefense Security Intelligence Services, one of the world‘s first threat intelligence firms, to gain faster and more complete knowledge of emerging security challenges. Acquired February, 2017.

* The federal services business of Endgame, a threat detection company. Acquired in February, 2017.

* Redcore, initially for its defense activities in the Australian Federal government but later expanding them worldwide. Acquired August 2016.

* Maglan, an Israel-based security firm, to help provide strategic consulting and managed delivery of cyber defense services. Acquired June 2016.

* Team8, an Israel-based cybersecurity company. Acquired a minority stake in February, 2016.

* Cimation, a specialist in secure industrial control systems and the Industrial Internet of Things. Acquired December 2015.

* FusionX, a provider of attack simulation, threat modeling and risk advisory services. Acquired August 2015.