Accenture falls victim to ransomware

Accenture, one of the world’s largest consultancies, confirmed last Wednesday (11/08) it had been the victim of a ransomware attack. The confirmation came to light after the LockBit group began releasing files allegedly stolen from the company. A counter displayed on the gang’s website said the documents would become public within hours if Accenture did not pay the ransom. Accenture recently posted revenue of $44.3 billion and has 569,000 employees operating in 50 countries.

In a public statement, Accenture said that it identified irregular activity in its environments through security controls and protocols and immediately contained the situation by isolating the affected servers. It also said it had fully recovered the affected systems from backup and that there was no impact on its operations or client systems. Although Accenture has not detailed the incident, everything leads to believe that it is a ransomware attack.

When the counter displayed on the LockBit website came to an end, hackers released more than 2,000 files allegedly stolen from Accenture. The company has not commented on the leaked documents, but people who have reviewed them have said they do not appear to store client information, according to SecurityWeek. However, cybersecurity firm Cybele reports that the group claims to have obtained more than 6 TB of files and demanded a $50 million ransom from Accenture.

Sources familiar with the attack told the BleepingComputer website that Accenture has confirmed the ransomware attack to at least one vendor and that an IT service provider is also notifying customers.

LockBit é um grupo de ransomware de origem russa que opera sob o modelo “ransomware as a service (RaaS)”, que tem contribuído para o crescimento desse tipo de ataque. Operando na Dark Web, o esquema RaaS cobra pelo uso de ransomware, que criptografa e rouba dados e pede resgate por eles. O autor do ransomware fatura cobrando uma taxa mensal pelo uso do software ou recebendo parte do lucro obtido com os ataques, correndo menos risco, enquanto os usuários do ransomware também ganham, sem que seja necessário ter muita perícia técnica.

The Accenture hack came just days after the Australian Cybersecurity Centre (ACSC) issued an alert involving several Australian organizations, across a range of industries, that had been attacked by LockBit 2.0 ransomware. In addition to data encryption, victims received threats of document leaks and ransom demands.

According to cybersecurity firm Appgate, Lockbit 2.0, the latest version of the ransomware of the same name, has more features, including one that encrypts entire Windows domains through group policies. It also has a new strategy to gain affiliates – after encrypting a device, the ransomware sets the wallpaper in which it takes responsibility for the attack, asks for a ransom, and makes a recruitment ad, promising millions of dollars to the employees of the company victim who gives access to the network in order to launch an attack.

The curious thing about Accenture’s case is that a week before the incident, the company had disclosed on its website that the volume of cyber intrusion activities jumped 125% in the first half of 2021 compared to the same period last year, according to the most recent update of Accenture’s own Cyber Investigations, Forensics & Response (CIFR) hub, which gathers information on cybersecurity incidents. According to Accenture, the triple-digit increase was primarily driven by remote network access and control, supply chain hacking as well as ransomware attacks, and extortion operations.

Certainly, in the next CIFT newsletter, Accenture will be part of these statistics.