Accenture Issued Ransomware Warning After LockBit Attack

It’s ‘ironic’ that Accenture was highlighting the threat of ransomware while in the midst of an attack by a hacker group, a security expert told CRN.

Several days after reportedly discovering the LockBit ransomware breach of its systems, Accenture released a cybersecurity report that included ransomware as a focus—but did not mention the attack on the IT consultancy.

Accenture released its latest “global incident response analysis” on Aug. 4, which highlighted ransomware as one of the top current threats in cybersecurity.

According to a report from cybersecurity news site CyberScoop, Accenture had spotted the LockBit ransomware attack on its systems on July 30.

id
unit-1659132512259
type
Sponsored post

[Related: Ransomware Group Demanding $50M In Accenture Security Breach: Cyber Firm]

“It’s ironic, because they probably had a research group that put this paper together, and they probably didn’t even share it with the rest of their group. That’s my assumption,” said Richard Blech, CEO and founder of Irvine, Calif.-based encryption technology firm XSOC Corp., in an interview with CRN.

Overall though, Blech said he is “shocked” that Accenture did not disclose the LockBit ransomware attack itself, but only confirmed the breach on Wednesday after a CNBC reporter tweeted about it.

“At least then they would’ve shown they wanted to be forthcoming and transparent,” Blech said.

In a statement Wednesday, Accenture said that it had “immediately contained the matter and isolated the affected servers” and that “there was no impact on Accenture’s operations, or on our clients’ systems.” The statement did not reference when Accenture had originally learned of the ransomware attack.

The publicly traded IT consultancy discovered the breach nearly two weeks before publicly confirming the ransomware attack, according to CyberScoop, which cited an internal Accenture memo.

The documents stolen by hackers referenced a “small number” of clients, but “none of the information is of a highly sensitive nature,” the internal Accenture memo said, according to CyberScoop’s report.

Accenture declined to comment on CyberScoop’s report. The company did not respond to questions from CRN about the release of its Aug. 4 security incident analysis in the wake of the reported LockBit ransomware attack.

Accenture’s Aug. 4 report listed ransomware as one of the top three trends in cyber threats during the first half of 2021. Ransomware remained the biggest category of malware observed during that period, Accenture said in an Aug. 4 blog post about the incident analysis report.

“Ransomware is likely to remain one of the top threats to businesses globally,” Accenture said in the post. “If anything, it has entered a new phase as threat actors adopt stronger pressure tactics and capitalize on opportunistic intrusion vectors.”

Accenture, which is No. 1 on CRN’s Solution Provider 500 for 2021, reports that its client base includes 91 companies in the Fortune Global 100, along with more than three-fourths of the companies in the Fortune Global 500.

The hacker group behind the Accenture attack—which is known as LockBit 2.0, according to CyberScoop and other media outlets—reportedly used LockBit ransomware to target Accenture’s systems. The group has demanded $50 million from Accenture in exchange for 6 TB of data, according to Cyble, a dark web and cybercrime monitoring firm. Accenture has not confirmed the ransom demand.

LockBit encrypts files using AES encryption and prevents users from accessing infected systems until a ransom payment is made, according to New Zealand-based cybersecurity company Emsisoft. The LockBit ransomware uses processes that are largely automated, making it “one of the most efficient ransomware variants on the market,” Emsisoft wrote in a blog post.

In its statement Wednesday, Accenture said that “through our security controls and protocols, we identified irregular activity in one of our environments.” After containing the incident and isolating impacted servers, “we fully restored our affected servers from back up,” Accenture said.

VX-Underground, which claims to have the Internet’s largest collection of malware source code, tweeted that the LockBit ransomware group released 2,384 files for a brief time on Wednesday.

Blech said he fully expects that more will still come out about the scope and severity of the ransomware attack on Accenture.

“More details will be forthcoming over the coming weeks and months, and it’s almost certainly going to be worse than is stated now,” he said. “With what they handle and who they deal with [at Accenture], I think it’s going to be quite serious. It’s just too much information. This was a big compromise. They can minimize it all they want, but that’s an awful lot of files.”

CRN has reached out to Accenture for comment.

The attack on Accenture is the latest in a series of high-profile ransomware attacks, including the massive breach of IT management software firm Kaseya in July by ransomware operator REvil.

Michael Goldstein, CEO of LAN Infotech, a Fort Lauderdale, Fla., solution provider that was affected by the Kaseya attack, said he hopes that Accenture will provide a fuller explanation of what happened in the attack once all the facts are gathered.

“Obviously everyone wants to learn from this, so we can better protect [customers’] infrastructure,” Goldstein said. “When they have a handle on what potentially happened, we all should know.”

Goldstein said he doesn’t fault Accenture for not disclosing the attack right away, saying that he understands that it takes time to gather all the information.

“I’d rather have the full story than just have a piece of it,” he said.

More than one third of all organizations globally have experienced a ransomware incident over the past 12 months, according to research firm IDC, which disclosed the findings from a new survey on ransomware attacks on Thursday.

In the July attack on Kaseya, REvil demanded $70 million demand to decrypt victim files. Kaseya later said it obtained a decryptor for the ransomware, but did not pay the ransom.

In June, the Darkside ransomware gang broke into the Colonial Pipeline systems through an inactive account that didn’t use multifactor authentication, according to a consultant who investigated the attack. The ransomware attack prompted Colonial to shut down its 5,500-mile natural gas pipeline for five days, resulting in more than 10,000 gas stations across the Southeastern United States being out of fuel.