July 30 Ransomware Attack On Consulting Group Accenture, Confirmed

by | August 14, 2021 | Cybersecurity News

Global consulting group Accenture reportedly confirmed on August 13 that cybercriminals stole client data and work materials in a ransomware attack that hit the company on July 30.

CyberScoop quoted Accenture’s internal memo: “While the perpetrators were able to acquire certain documents that reference a small number of clients and certain work materials we had prepared for clients, none of the information is of a highly sensitive nature.” The memo minimizes the actual impact of the recent ransomware attack.

LockBit ransomware-as-a-service (RaaS) published the name and logo of Accenture, one of its most recent victims, earlier this week.

Accenture works with a wide array of clients: 91 of the Fortune Global 100 and over three-quarters of the Fortune Global 500. Heavy names are on that list, including giants such as Alibaba, Cisco, and Google. Accenture is one of the largest tech consultancy firms worldwide, with more than 550,000 employees in 50 countries.

LockBit put up for sale Accenture databases on its Dark Web site, not missing the opportunity to add an acid comment on Accenture’s weak security.

“These people are beyond privacy and security. I really hope that their services are better than what I saw as an insider. If you are interested in buying some databases, reach us.”

LockBit post
Threat actors launched a ransomware attack on Accenture and stole client and work-related data.
LockBit dark-web site screen capture. Source: Cybereason.

When the ransom payment clock’s countdown reached the end, a data leak site showed a folder that contained PDF files allegedly stolen from Accenture, according to Security Affairs. The attackers announced that they were preparing to leak the documents stolen from the company at 17:30:00 GMT.

LockBit countdown clock. Source: Cyble.

Backups Saved The Day After The Ransomware Attack

“Through our security controls and protocols, we identified irregular activity in one of our environments. We immediately contained the matter and isolated the affected servers,” Accenture stated. “We fully restored our affected systems from backup, and there was no impact on Accenture’s operations, or on our clients’ systems.”

The LockBit cybercriminals group is similar to DarkSide and REvil: LockBit uses an affiliate program to rent out its ransomware platform, demanding a share of any resulting ransom payments.

The wallpaper displayed on compromised systems now includes text inviting insiders to help compromise systems – promising payouts of millions of dollars,” Tony Bradley, Cybereason, wrote.

Was The Ransomware Attack An Inside Job?

Cyble indicated in a Tweet that this might be an inside job. “We know #LockBit #threatactor has been hiring corporate employees to gain access to their targets’ networks,” the firm tweeted.

Cyble also reported that LockBit demanded $50 million in ransom. The attackers claimed themselves that the ransomware attack was an insider job  “by someone who is still employed there.”

Vulnerabilities Exploited?

Ron Bradley, vice president of third-party risk-management firm Shared Assessments, stated that the recent Accenture data leak incident is “a prime example of the difference between business resiliency and business continuity. Business resiliency is like being in a boxing match, you take a body blow but can continue the fight. Business continuity comes into play when operations have ceased or severely impaired and you have to make major efforts to recover.

“This particular example with Accenture is interesting in the fact that it was a known/published vulnerability,” Bradley continued. “It highlights the importance of making sure systems are properly patched in a timely manner. The ability for Accenture to manage the repercussions of potentially stolen data will be an important lesson for many organizations going forward.”

Cybersecurity firm Vectra CEO Hitesh Sheth warned that all companies should expect such attacks at any time.

“First reports suggest Accenture had data backup protocols in place and moved quickly to isolate affected servers,” he told Threatpost on Wednesday. “It’s too soon for an outside observer to assess damage. However, this is yet another reminder to businesses to scrutinize security standards at their vendors, partners, and providers. Every enterprise should expect attacks like this – perhaps especially a global consulting firm with links to so many other companies. It’s how you anticipate, plan for and recover from attacks that counts.”

Ransomware’s no joke. Here, at ATTACK Simulator, we take it very seriously.

A painfully costly ransomware attack can happen at any time. Invest a small amount today to protect your business’s tomorrow and possibly spare a fortune. Get your quote for our comprehensive Security Awareness Training program here.


ThreatPost threatpost.com/accenture-lockbit-ransomware-attack/

The Hill thehill.com/consulting-group-accenture-hit-by-cyberattack

by Diana Panduru

Content writer for Attack Simulator. Passionate about all things writing and cybersecurity, and obsessed with driving. I sometimes indulge in pencil drawing, poetry, and cooking for fun.

There’s no reason to postpone training your employees

Get a quote based on your organization’s needs and start building a strong cyber security infrastructure today.