Lockbit ransomware attack didn't affect ops, claims Accenture amid lurid payoff rumours
No word on whether gang got their mitts on data, though
Outsourcing and accounting firm Accenture has been struck by Lockbit ransomware.
The ransom note, posted on the dark web and seen by The Register, said: "These people are beyond privacy and security… if you're interested in buying some databases reach us."
In a statement, the company confirmed the attack but failed to answer any of The Reg's questions about what had been affected, what (if any) data had been accessed, or how much was demanded in ransom.
"Through our security controls and protocols, we identified irregular activity in one of our environments. We immediately contained the matter and isolated the affected servers. We fully restored our affected systems from back-up. There was no impact on Accenture's operations, or on our clients' systems."
Rumours on Twitter are being repeated by news outlets claiming a $50m ransom equivalent in cryptocurrency had been demanded by Lockbit's operators, though there was no hard confirmation of this at the time of publication. Counter-ransomware firm Emsisoft reckoned in July that the average ransom demanded by the Lockbit gang was "typically high five figures."
"LockBit operates under the ransomware-as-a-service (RaaS) business model, whereby ransomware developers lease their ransomware to affiliates who receive a portion of ransom payments received from the attacks they carry out," said the firm's analysis.
Industry talk of vast payoffs always circulate after a ransomware attack, especially when companies aren't forthcoming with public communication. Such rumours are great for the criminals operating the ransomware – and tend to provoke intense scrutiny of corporate financials and spending in the months afterwards.
- Splunk spots malware targeting Windows Server on AWS to mine Monero
- Russia tells UN it wants vast expansion of cybercrime offenses, plus network backdoors, online censorship
- Here's 30 servers Russian intelligence uses to fling malware at the West, beams RiskIQ
- Ransomware crooks who broke into Merseyrail used director's email address to brag about it – report
Lockbit was the same crew behind the April 2021 compromise of UK train operator Merseyrail, causing a minor kerfuffle at the time; trains continued to run despite the attack. They bragged to the press they had gained access to a company director's Office365 account before moving sideways through its network.
The gang appears to have spun out of the Maze ransomware cartel and avoids targeting organisations based in ex-Soviet countries.
Accenture bought its way into the security market relatively recently, snapping up Symantec's Cyber Security Services (CSS) operation last year. It's also bought up a bunch of smaller security firms, as we reported at the time.
In its most recent financial report, for Q3 of Cyber Security Services (CSS) operation 2021, the org reported revenues of $13.26bn, up from $10.99bn for the third quarter of fiscal 2020 [PDF].
Having infosec knowhow on hand doubtless aided detection and recovery from the ransomware attack, though a company publicly claiming that a ransomware attack has had zero effect rarely reflects reality for those whose devices and departments caught the initial wave. ®