What Happened
Cybercriminals have breached Accenture in an apparent ransomware attack but the global consulting giant says the incident was immediately contained with no impact on it or its systems.
The LockBit ransomware gang announced the attack Tuesday night on its dark web leak site, setting a deadline of Thursday evening for payment.
Accenture said in a statement Wednesday that it had “identified irregular activity in one of our environments” and ”immediately contained the matter and isolated the affected servers.”
It did not specify when the incident occurred — or acknowledge that it was ransomware. But the description of its response was consistent with ransomware.
It said it had “fully restored our affected systems from back up. There was no impact on Accenture’s operations, or on our clients’ systems.”
The Dublin-based company would not say how many servers were affected or whether data was stolen and, if so, how much and what kind.
The Atlanta-based cybersecurity intelligence firm Cyble shared with The Associated Press chat images that it said were from Lockbit’s official communications channel. In them, the criminals claim they stole more than 6 terabytes of “top secret” data from Accenture, for which they said they were demanding $50 million.
Accenture would not comment on what data, if any, was exfiltrated by the criminals. LockBit is a Russian-speaking ransomware syndicate that does not target former Soviet countries. It is one of the most efficient ransomware variants around, according to the cybersecurity firm Emsisoft. Active since September 2019, it has attacked thousands of organizations. Among its known victims are Press Trust of India. Hit in October 2020, the the largest news agency in India was crippled for hours but survived the attack without paying ransom.
About the Attack – Newest Intelligence & Sophistication
LockBit uses a ransomware-as-a-service (RaaS) model.
Similar to DarkSide and REvil, LockBit offers its ransomware platform for other entities or individuals to use based on an affiliate model. Any ransom payments received from using LockBit are divided between the customer directing the attack and the LockBit gang.
Related to the LockerGoga and MegaCortex malware families, LockBit shares common tactics, techniques and procedures with these malicious attacks. In particular, it can propagate automatically to new targets.
More recent variants have adopted the double extortion model — locating and exfiltrating valuable data before encrypting systems. The stolen data provides additional incentive for victims to pay the ransom.
Summary
Fileless and invisible techniques are being used that cannot be detected by most systems. Proactive, forensic-based detection is required to detect and quickly remediate. In addition, network infrastructure with a focus on security to incorporate segmentation and a zero trust model makes it difficult, if not impossible for an attacker to circumnavigate defenses.
You cannot defend what you cannot see. We help make the intangible, tangible.
Contact us immediately to get the appropriate level of protections for your organization: https://go.oncehub.com/sniperwatch-intro
