Accenture Tied Up in $50M Ransom Lockbit 2.0 Attack

Global consulting firm Accenture has been the target of ransomware group Lockbit, with the gang reportedly taking encrypted data from the company.

Lockbit says it will publish the data if Accenture does not pay the ransom, according to screenshots of the ransomware group’s website. Infosecurity has asked Accenture for a comment on the ransomware attack.

In a statement provided to CNN, an Accenture spokesperson told the international outlet., “Through our security controls and protocols, we identified irregular activity in one of our environments. We immediately contained the matter and isolated the affected servers.”

This data breach comes after the Australian Cyber Security Centre (ACSC) alerted organizations in the country that cyber-criminals were frequently using Lockbit 2.0 ransomware. “The ACSC has received reporting from several Australian organizations that have been impacted by LockBit 2.0 ransomware,” explains the alert. “This activity has occurred across multiple industry sectors.

“Victims have received demands for ransom payments. In addition to data encryption, victims have received threats that data stolen during the incidents will be published.”

What is Lockbit 2.0?

Lockbit 2.0 was rolled out earlier this month — the latest version of the ransomware — and implements lots of additional features.

“With the recent international efforts on fighting ransomware, those gangs are finding it difficult to advertise their malware in hacking forums,” explains Felipe Duarte, security researcher, Appgate.  “A few posts from this new version of LockBit were spotted on a few forums frequented by cybercrime gangs, but they were quickly removed. This version is currently advertised on a new version of their website.

“Our team got access to LockBit’s deep-web site, where the ad is published along with data from victims that refused to pay the ransom,” continues Duarte. “Among the advertised capabilities is a new dangerous feature to encrypt entire Windows domains through group policies.

“After infecting a domain controller, the malware creates new group policies and pushes them to every device connected on the network. Those policies disable antivirus protections and execute the ransomware. Additionally, LockBit seems to have copied a feature from Egregor ransomware that, after a successful infection, sends to all connected printers a command to repeatedly print the ransom note.”

Appgate explains that the new version of Lockbit adds a new strategy to acquire affiliates — after encrypting a device, it sets the wallpaper to a ransom note and claims responsibility for the attack, and points to a more detailed one note .txt file.

“Now the set wallpaper also contains a recruitment ad, promising millions of dollars to employees that provides them access to the company systems so they can launch a ransomware attack,” the security researcher explains. “According to the ad, the access can be a valid credential or even executing a threat attached in an email.

“This strategy may seem unusual at first, but it’s somewhat common for companies to get breached by employees. For example, in 2020, a Russian citizen living in the U.S. was arrested after offering $1 million to a Tesla employee to deploy ransomware in Tesla’s internal network.”

What is Accenture’s response?

At the time of reporting, Accenture had not confirmed the details of the ransomware attack to Infosecurity. However, multiple news sources appear to show  Accenture giving little weight to the attack, with the company saying that it has had “no impact” on the business.

According to ZDNet, the consultancy firm provided a statement that says, “There was no impact on Accenture’s operations or on our clients’ systems.”

However, the outlet also reports that cybercrime intelligence firm Hudson Rock says that 2,500 computers of employees and partners were compromised in the ransomware attack. Another firm, Cyble, claims to have seen a ransom demand of $50 million for six terabytes (TB) of stolen data.

What’s Hot on Infosecurity Magazine?