It seems no one is infallible to ransomware, not even those who advise technology to the world. The company confirmed it was victimized by LockBit 2.0 ransomware but suffered minimal damage. Reports from a couple of cyber intelligence companies suggest otherwise, with the possibility of the incident being an insider job.
IT services heavyweight Accenture was hit by a ransomware attack this week although the company denies any wide-ranging impact to operations. Carried out by the LockBit 2.0 ransomware gang, the incident has made the company shift to a defensive stance with the online community questioning Accenture’s statement rather than an appropriate response.
Perpetrators of the attack announced their misdeed on their leak site post which the Dublin, Ireland-based company downplayed the incident. “Through our security controls and protocols, we identified irregular activity in one of our environments. We immediately contained the matter and isolated the affected servers. We fully restored our affected systems from backup. There was no impact on Accenture’s operations, or on our clients’ systems,†Accenture told BleepingComputerOpens a new window .
Cyber risk intelligence company Cyble estimated the total size of the file stolen from Accenture is 6 TB. And the demand to recover it, and prevent leakage stands at $50 million.
The threatactors have alleged to gain databases of over 6TB and demanding $50M as a ransom. They also alleged that it’s an insider job, by someone who is still employed there (unlikely though).
— Cyble (@AuCyble) August 11, 2021Opens a new window
Hudson Rock, another cyber intelligence provider noted after looking at prohibited dataOpens a new window , that 3,795 machines and just over 2,5000 employees were compromised in the incident.
Part of the reason why Accenture is on the back foot has probably something to do with the fact that the attack may have been carried out by an insider. The threat actor(s), supposedly an Accenture insider posted on Twitter, “These people are beyond privacy and security. I really hope that their services are better than what I saw as an insider. If you’re interested in buying some databases, reach us.â€
Opens a new window
Source: Twitter
The timer you see in the image above already went off yesterday (Wednesday) in the afternoon. CNBC analysts said they have published some files which include PowerPoints, case studies, quotesOpens a new window but the group postponed the leak of all files by 24 hours meaning it is slated to go off today at 20:43 (8:43 PM) UTC.
Alexander ApplegateOpens a new window , principal threat researcher at ZeroFox told Toolbox, “The process of leaking data has been novel in the case of Accenture. ZeroFox has observed discrepancies in what time appears on the countdown timer based on how one navigates to the dark web leak site. Additionally, August 13 is now the third day on which LockBit appears to be re-releasing the data after glitchy attempts the first two times, such as files only being available to download one at a time on the leak site post and considerable network traffic affecting site visitors trying to view the dumped files. On August 11, the files dropped at about 1:30 PM EDT and yesterday and today the same files are scheduled to drop at 4:43 PM EDT.â€
See Also: Is REvil’s Latest Exploit Against Kaseya One of the Biggest Ransomware Attacks Ever?
LockBit 2.0 Ransomware Gang
LockBit originally made an appearance on the cybersphere in 2019. Back then it was known as the ‘.abcd virus’ due to the file extension it used after encrypting files. According to Kaspersky, it is a malicious software designed to block user access to computer systems in exchange for a ransom payment, just like other ransomware strains. LockBit primarily targets enterprises and governments and aims for a quick payday.
LockBit is available as ransomware-as-a-service (RaaS). The cybercriminal group is responsible for leaking data of at least eight victim organizations globally in 2020. Attacks using LockBit are targeted, can employ tools like Windows Powershell and Server Message Block (SMB), and can also be self-spreading within an organization. LockBit operators have advertised the strain’s RaaS services on Russian-language cybercrime forums since January 2020.
More recently, the LockBit ransomware strain has been known to have evolved to LockBit 2.0. The most notable upgrade being the ability to steal data before encrypting or ‘locking’ it. In June 2021, LockBit 2.0 services, built-in with an information stealing function known as ‘StealBit,’ were advertised according to the Australian Cyber Security Centre (ACSC).
This is nothing but the ability to carry out double extortion from its targets. Double extortionOpens a new window is basically the ability to have additional leverage (stolen data) over the victims. So if the victims manage to restore systems, the ransomware operators can threaten to publicly leak this stolen data.
LockBit is a bit late to the party though, since others such as DoppelPaymer, DarkSide, REvil, etc., have already carried out double extortion ransomware attacks since almost a year now.
Earlier in August, ACSC apprised citizens and organizations of “numerous incidents involving LockBit and its successor ‘LockBit 2.0′ in Australia since 2020.†ACSC noted a sharp increaseOpens a new window in reportage of LockBit 2.0 as compared to others after July 2021.
Accenture Ransomware Attack an Inside Job?
Well, no one knows. Not yet anyway except maybe Accenture themselves. However, the company has kept mum and hasn’t provided much information regarding the incident.
With what’s known so far, the online discourse is certainly not going in Accenture’s favor. BleepingComputer on August 4 reported LockBit 2.0 to have been actively recruiting corporate insiders to gain access to networks, and data. To infiltrate corporate networks, LockBit 2.0 is looking for either of the following:
- Remote Desktop Protocol (RDP)
- Virtual Private Network (VPN)
- Corporate email credentials
Since the June launch of LockBit 2.0, the ransomware gang also updated its Windows wallpaper:
Opens a new window
Lockbit 2.0 Ad | Source: BleepingComputer
The text reads:Â
“Would you like to earn millions of dollars?
Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company.
You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company.
Companies pay us the foreclosure for the decryption of files and prevention of data leak.
You can communicate with us through the Tox messenger
https://tox.chat/download.html
Using Tox messenger, we will never know your real name, it means your privacy is guaranteed.
If you want to contact us, use ToxID: xxxxâ€
“On August 11, 2021, ZeroFox observed an update to the LockBit 2.0 ransomware leak site targeting the organization Accenture. The post implies that an insider may have been involved in helping to carry out the ransomware attack,†Applegate added.
Last time a big tech company was targeted using an insider was Tesla when its Nevada Gigafactory was targeted by a Russian hacker.
However, there’s a reasonable degree of doubt whether it really could have been an insider helping LockBit 2.0 operators. Considering crackers, phishers and cybercriminals in general have a poor command over the english language, it could just be a case of poor communication. The operators could have meant to say that they expected Accenture’s security to be much more robust than what they saw as insiders i.e., after infiltrating the network.
Accenture is, after all, one of the major IT service providers, consultants, cloud and operations tech providers employing ~569,000 people across over 120 countriesOpens a new window generating more than $44 billion annually.
Dmitry SmilyanetsOpens a new window , cyber threat intelligence expert at Recorded Future, doesn’t think an insider was involved. He tweetedOpens a new window , “every hacker is an ‘insider’. I don’t see anything that indicates that #LockBit used an insider to get into the network,†to which Kevin BeaumontOpens a new window , former Microsoft threat intelligence analyst and currently the head of the security operations center at Arcadia Group repliedOpens a new window “Indeedy.â€
See Also: 14 Insights on How To Prevent a Ransomware Attack and Avoid Being the Next Headline
Will Accenture Shell Out the Ransom?
Once again, it is hard to answer this question given Accenture is currently in denial. The FBI obviously won’t recommend forking out the ransom since it is questionable whether payouts result in successful recovery of the data back. More importantly, even if they do, it doesn’t guarantee that the cybercriminals actually deleted the data.
Additionally, Cyberreason found out that 80% of the companiesOpens a new window that gave in to ransom demands were attacked again.
Andrew (Drew) RabieOpens a new window , SVP, head of IT & security, HUMAN Security, Inc. told Toolbox “To dissuade evolving attacks, ransomware payments should never be paid. Businesses pay to recover their data, but don’t realize that by acquiescing, they keep incentivizing criminal behavior. Criminals’ enterprises adapt fast and follow where it makes financial sense, if they keep receiving payments, they will only spur other criminal actors to follow suit.â€
“Not only will this reduce the risk dramatically, but it encourages a better customer understanding of what a company does with the data it does collect. Alongside this, businesses should invest in robust backup solutions instead of anti-ransomware solutions,†he adds.
This may not be enough sometimes. So what exactly needs to be done to prevent falling victim to a ransomware attack? Applegate said, “In light of the ongoing threat of ransomware and other severe types of cyber threats, organizations can continue to take steps ‘before the breach’ to minimize the risk of becoming a victim of a cyber-attack. For instance, organizations can continuously monitor the digital footprint for impersonations, phishing attacks, account takeovers. This approach allows them to quickly remove offending content before damage occurs and disrupt attack infrastructure in coordination with back-end host, network, content, registrars, etc., other providers.â€
Applegate also reiterated Rabie’s point. He adds, “We also recommend monitoring dark web channels for brand mentions, ransomware attack plans, or phishing kits targeting their organization and key suppliers. It is also vital they maintain regularly scheduled backup routines, including off-site storage and integrity checks.â€
Closing Thoughts
Ransomware is a tough nut to crack, which is why the only possible solution is deterrence. But going by the Ransomware Threat ReportOpens a new window by Unit 42, the threat intelligence arm of Palo Alto Networks, cracking or even stopping ransomware is becoming increasingly difficult. The company assessed that the average ransomware payment surged by 82% to $570,000 in H1 2021 compared to 2020.
Sure, this is significantly lower than the astounding 171% rise last year, but it still went up by over 80%. The first half of 2021 was also interesting because three of the highest ever ransom demands came in this period.
| Company | Ransomware Attacker | Ransom Demand | Month of Incident
(2021) |
| Kaseya | REvil | 70 million | July |
| AcerOpens a new window | REvil | $50 million | March |
| Quanta/Apple | REvil | $50 million | April |
| CNA Financial | Phoenix Locker | $40 million | May |
| Colonial Pipeline | DarkSide | $4.4 million | May |
| JBS Foods | REvil | $11 million | May |
Also, ransomware gangs are usually after money which is why these attacks are a tad odd. All attacks are on companies based in the United States barring Quanta (Taiwan). But an American company, Apple, did end up being targeted. Moreover, attacks on all these companies had profoundly disrupted normal operations. Could it be that ransomware gangs are choosing targets to cause the maximum havoc?
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!