On August 10, 2021, LockBit, an extremely powerful cybercriminal gang, posted on their website that the global consulting firm Accenture was hit with ransomware. Although Accenture confirmed a cybersecurity incident, they denied it was ransomware.
Many third-party security organizations, however, dispute their denial. The cybercrime intelligence firm Hudson Rock reported on Twitter that about 2,500 computers of Accenture employees and partners were compromised in the attack. Another research firm, Cyble, claimed to have seen a ransom demand of $50 million for approximately six terabytes of stolen data.
According to Accenture, the company executed a strong ransomware security response. “Through our security controls and protocols, we identified irregular activity in one of our environments,” said Stacey Jones, Accenture spokesperson. “We immediately contained the matter and isolated the affected servers … [and] fully restored our affected systems from back up. There was no impact on Accenture’s operations, or on our clients’ systems.”
Breaking Down the Accenture Ransomware Attack
In their official response, Accenture referenced their “security controls and protocols.” In technology terms, this means Accenture employs an anomaly detection system. Anomaly detection learns behaviors and analyzes the usage of IT systems. From this analysis, it builds a baseline and monitors for malicious behavior.
According to Jones, since Accenture “immediately contained the matter and isolated the affected servers,” they were able to stop the attack from spreading to other parts of the organization. Additionally, by backing up their systems to on-premises devices, off-site locations or in the cloud, Accenture recovered their systems to a point-in-time before the attack.
The extensive precautionary measures that Accenture had operating in place meant that they avoided excessive downtime and disruption of their business operations. Unfortunately, the reality is that it is virtually impossible to completely avoid disruption. Performing these remediation steps take time to execute, whether that time is minimal or substantial.
The Bottom Line
Accenture responded to the breach as well as could be expected. They stopped the attack and seemingly avoided paying a $50 million ransom. However, LockBit stole Accenture’s encrypted files. On their website, LockBit claims that these files will be published by the group on the dark web unless the company pays the ransom. Accenture admitted that despite their best efforts, the attack exposed many of their clients—some with annual revenues between $1 billion and $9.9 billion. In addition, there is no guarantee that the files will be destroyed.
Cybercriminal “bad actors” are using a much more costly and dangerous ransomware variation. By stealing encrypted data and files, not only those of the companies they attack but also of those companies’ clients, multiple subsequent organizations are susceptible to their own ransomware attacks throughout the entire supply chain.
This type of ransom attack is not new, but based on the size and scope of the Accenture attack, cyber bad actors are becoming more ruthless and relentless. Demanding ransom for stolen files can slash a company’s bottom line, ruin credibility with partners and clients, and worst of all, destroy their business and public reputations.
How Accenture ultimately responds may set a precedent for other organizations.
In the meantime, take advantage of our comprehensive checklist to help reduce the likelihood of a breach today, and make recovery quicker in the event of a data breach down the road.