The hacking group behind a ransomware attack on global solution provider powerhouse Accenture has demanded $50 million in ransom, as per the cybersecurity firm that saw the demand.
According to a tweet from Cyble, a dark web and cybercrime monitoring company, the threat actor is seeking $50 million in return for more than 6 TB of data.
On Thursday, Accenture responded it had no additional information to add to its statement, pointing CRN to a statement issued on Wednesday that claimed it had "contained the matter and isolated the affected servers" and that "there was no impact on Accenture's operations, or on our clients' systems."
The hacking group apparently used LockBit ransomware to target Accenture, which is ranked No. 1 on CRN's Solution Provider 500 for 2021, in the attack revealed on Wednesday.
As per Emsisoft, a cybersecurity firm located in New Zealand, LockBit is a ransomware strain that stops users from accessing infected devices until a ransom payment is completed.
The incident arises after a ransomware assault on Kaseya in July, which involved a $70 million ransom demand to decrypt victim files. Kaseya later stated that it had acquired a decryptor for the REvil ransomware, but it had not paid the ransom.
“At the end of the day, paying the ransom is never a good idea,” stated Douglas Grosfield, founder and CEO of Kitchener, Ontario-based Five Nines IT Solutions, in an interview with CRN.
“The majority of folks that do end up paying the ransom don’t necessarily get all of their data back. And what you do get back, you can’t trust. There could be a payload there—a ticking time bomb—that will make it easier for the perpetrators to get in again.”
He stated that ransomware groups targeting IT service companies such as Accenture is unsurprising. “The only surprise is that it took the bad guys this long to figure out that service providers are a pretty juicy target,” he added.
According to Grosfield, the Accenture incident serves as a reminder of the proverb, "physician, heal thyself," which states that IT service providers must verify their own systems are safe to propose security solutions to their own clients.
Accenture claims to have contained the assault, however, this is a questionable assertion. The firm confirmed the ransomware assault in an emailed response to a request for information from CRN but stated it had no impact on the organization.
“Through our security controls and protocols, we identified irregular activity in one of our environments. We immediately contained the matter and isolated the affected servers. We fully restored our affected servers from back up. There was no impact on Accenture’s operations, or on our clients’ systems,” Accenture wrote.
However, a CNBC reporter spoke on Wednesday that the hackers behind the Accenture attack uploaded over 2,000 files to the dark web, including PowerPoint presentations and case studies.
On Wednesday, VX Underground, which claims to possess the Internet's largest collection of malware source code, tweeted a timer allegedly from the hacking group, indicating how the time until the attack on Accenture's data would begin. The timer's timer ultimately ran out.
The LockBit ransomware gang published 2,384 files for a short period, according to VX-Underground, however, those files were unavailable due to Tor domain issues, most likely due to excessive traffic.
The LockBit attack clock was restarted with a new date of Aug. 12, 2021, 20:43 UTC, or 4:43 p.m. ET Thursday, according to the group.
The Accenture incident, according to Ron Bradley, vice president of third-party risk management firm Shared Assessments, is "a perfect example of the distinction between business resiliency and business continuity," he told Threatpost on Wednesday.
“This particular example with Accenture is interesting in the fact that it was a known/published vulnerability,” Bradley continued. “It highlights the importance of making sure systems are properly patched in a timely manner. The ability for Accenture to manage the repercussions of potentially stolen data will be an important lesson for many organizations going forward.”
According to Hitesh Sheth, president, and CEO of cybersecurity firm Vectra, all organizations should expect such assaults, but especially a global consultancy firm with many links.
“First reports suggest Accenture had data backup protocols in place and moved quickly to isolate affected servers,” he informed Threatpost on Wednesday. “It’s too soon for an outside observer to assess the damage. However, this is yet another reminder to businesses to scrutinize security standards at their vendors, partners, and providers. Every enterprise should expect attacks like this – perhaps especially a global consulting firm with links to so many other companies. It’s how you anticipate, plan for and recover from attacks that counts.”
LockBit encrypts files with AES encryption and generally asks a high-five-figure ransom to decrypt the data. LockBit's procedures are mostly automated, allowing it to operate with little human monitoring once a victim has been hacked, according to Emsisoft. It may be used as the foundation for a ransomware-as-a-service business model, in which ransomware authors can utilize it in exchange for a share of the ransom payments.