EXECUTIVE SUMMARY:

Global consulting firm Accenture has experienced a ransomware attack. The LockBit ransomware gang reports theft of 6 terabytes worth of Accenture’s data. LockBit requested a $50 million ransomware payment, without which volumes of private data may be publicly released.

“Through our security controls and protocols, we identified irregular activity in one of our environments,” stated Accenture spokesperson Stacey Jones.

The incident closely follows the major attack on IT firm Kaseya, by the REvil ransomware operator. Payment demands appeared similar in nature. REvil demanded $70 million for file decryption.

Accenture data breach: An inside job?

Precisely how hackers infiltrated Accenture’s network remains to be determined. However, preliminary evidence suggests that it could be an inside job. The LockBit website hosted the message “these people are beyond privacy and security. I really hope that their services are better than what I saw as an insider. If you’re interested in buying some databases, reach us.”

A voluntary inside job might seem like a stretch. A paid one, perhaps less so. In 2020, an individual living in the US was arrested after offering a Tesla employee $1 million in exchange for deploying ransomware on the company’s internal network.

LockBit and Ransomware-as-a-Service

Experts first discovered the LockBit group in September of 2018. LockBit provides Ransomware-as-a-Service. In other words, they offer software that individual hackers can purchase and independently deploy.

LockBit’s ransomware is commonly a double-tap variant, which means that files will both be encrypted and payment will be demanded in exchange for refraining from release of the stolen data.

More specifically, after infecting a domain controller, the malware implements new group policies. Afterwards, it pushes them to every device within a network. The policies prevent antivirus protections from functioning and they execute ransomware.

Further, LockBit appears to have cloned a feature from Egregor ransomware. The feature distributes a command to connected printers, telling them to repeatedly churn out copies of the ransom note.

How Accenture succeeded amidst a challenge

Accenture has reportedly fully restored systems from backup, according to Reuters. The ransomware attack does not appear to have effected Accenture’s operations or client systems. As many as 2,500 computers belonging to employees and partners may have been affected amidst the attack.

As of this writing, the responsible ransomware group could still leak private data if ransom demands are not met. While the full situation cannot easily be assessed by outside observers at this time, every enterprise should recognize the need to augment cyber security protocols to prevent, detect and mitigate ransomware threats.

In summary:

Ransomware attackers remain indiscriminate regarding their targets, as long as they appear profitable. Large firms with strategic cyber security architectures and infrastructure are not immune. Anticipating and planning for a ransomware attack is critical. Amidst a wave of attacks affecting major enterprises across the world and across the US, government officials have declared ransomware a national security threat.

Experts suggest that a ransomware attack may occur as often as every 11 seconds in 2021. US government agencies report that an average of 4,000 ransomware attacks have occurred per day across the past five years. Ransomware attacks have increased by more than 150% by volume, year-over-year, according to one report.

Hospitals, transport groups, the education sector and other verticals have recently experienced ransomware attacks. Hackers commonly perceive their targets as vulnerable and suspect that they will pay to prevent public sharing of internal data.

Check back for updates or sign up for our newsletter to learn more about this story as it continues to unfold.