Accenture Faces $50 Million Ransom Demand

Global consulting firm Accenture is the latest victim of a ransomware attack by ransomware group LockBit, the price tag of which is $50 mn. As one of the world's largest consulting firms, $50 mn is probably less concerning than the potential reputational damage, especially since the company advises clients on their cybersecurity strategies and practices. Did Accenture pay the ransom? Not within the first window and likely not after the second either.

The Facts

On Thursday, August 12, news of Accenture's ransomware attack started to surface. However, the company had apparently known about the breach since July 30. Details of the attack are still unknown. 

Accenture stated that the affected systems had been recovered from a backup. A spokesperson in a statement provided to CNN implied that the attack was discovered through monitoring and that it had no impact on the company's operations or its clients' systems. Cybel, a dark web and cyber crime monitoring firm tweeted that the $50 mn ransom was for 6 TB of stolen data which was stolen with the help of a company insider. In fact, LockBit 2.0 is actively recruiting insiders and promising to pay them millions.

Meanwhile, some of the data was exposed for a limited time after the first payment deadline of four hours passed. However, Tor was down at the time. LockBit then set another deadline that has also passed.

LockBit 2.0 is the latest version of the ransomware. Felipe Duarte, a security researcher at Appgate said that the new version is capable of encrypting entire Windows domains through group policies. Then it spreads to devices connected to the network and disables antivirus software and execute ransomware. It also sets the wallpaper to a ransom note which is an ad attempting to recruit insiders willing to aid and abet a LockBit ransomware attack for a promise of millions. 

Crime intelligence firm Hudson Rock said that 2,500 employee and partner computers were affected. 

Lessons Learned

Insiders are a very real threat. Of the total breaches that occur, estimates run as high as 60% of all breaches. 

Then there is the supply chain aspect since some of Accenture partners' computers were compromised in the attack. While the number of partners and their identities are unknown, that fact may give some customers and partners pause. However, no organization is safe from a well-funded, carefully planned and implemented attack, especially when the hackers are waiving millions of dollars in the faces of potential insider partners.

A question is whether Accenture paid the ransom or not. The company has likely been advising clients, like law enforcement, not to pay ransoms because it only funds more cybercrime. Accenture did not respond to the first demand window of four hours. Regardless, whatever advice the company is giving should be the advice it takes or it will have an ever bigger potential PR problem.

New IDC research shows that one third of all organizations have been hit by a ransomware attack.

Quick Tips

• Monitor the network, applications and users for unusual behavior.
• Make sure employees know that they are being monitored and provide them with notice of what the consequences of criminal behavior might include.
• Have endpoint protection in place.
• Encrypt data at rest and in motion.
• Backup data.
• Have access controls in place.
• Use CASB.
• Use SASE.
• User MFA.
• Make sure accounts that should be deactivated have been deactivated.
• Have an anonymous method of reporting suspicious behavior available and/or provide the name of a security member to contact.
• Work with other organizational leaders to establish a cyber aware culture.