Accenture says Lockbit ransomware attack caused 'no impact' on operations or clients

The IT giant was listed on Lockbit's leak website, and the group said the data came from an "insider", but there was 'no impact' on operations or clients.
Written by Jonathan Greig, Contributor

Billion-dollar tech services firm Accenture is downplaying an alleged ransomware attack that the Lockbit ransomware group announced on Tuesday night. 

Accenture was listed on the group's leak site next to a timer set to go off on Wednesday. The ransomware group added a note that said, "These people are beyond privacy and security. I really hope that their services are better than what I saw as an insider. If you're interested in buying some databases, reach us."

Also: Hackers take $600m in 'biggest' cryptocurrency theft

In a statement to ZDNet, an Accenture spokesperson downplayed the incident, saying it had little impact on the company's operations. Accenture brought in more than $40 billion in revenue last year and has over 550 000 employees across multiple countries.

"Through our security controls and protocols, we identified irregular activity in one of our environments. We immediately contained the matter and isolated the affected servers. We fully restored our affected systems from back up," the company said. 

"There was no impact on Accenture's operations or on our clients' systems."


A screenshot of the Lockbit ransom page. 


Many online similarly questioned the amount of data taken during the ransomware attack and noted how unlikely it would be for it to come from an Accenture insider, considering how easy it would be to trace the attack. 

Accenture did not respond to questions about whether it was an insider attack and when the attack may have occurred. 

A cybercrime intelligence firm called Hudson Rock reported on Twitter that about 2,500 computers of employees and partners were compromised in the attack while another research firm, Cyble, claimed to have seen a ransom demand of $50 million for about 6 TB of stolen data. 

BleepingComputer later reported that Accenture had already communicated with one CTI vendor about the ransomware attack and will notify others. 

In a report from Accenture itself last week, the company said it found that 54% of all ransomware or extortion victims were companies with annual revenues between $1 billion and $9.9 billion.

Accenture provides a range of services to 91 of the Fortune Global 100 and hundreds of other companies. IT services, operations technology, cloud services, technology implementation and consulting are just a few of the things the Ireland-based company offers customers. In June, the company purchased German engineering consulting firm Umlaut to expand its footprint into the cloud, AI and 5G while also acquiring three other tech companies in February. 

The Australian Cyber Security Centre released an advisory on Friday noting that after a small dip in operations, the Lockbit ransomware group had relaunched and has ramped up attacks. 

Members of the group are actively exploiting existing vulnerabilities in the Fortinet FortiOS and FortiProxy products identified as CVE-2018-13379 in order to gain initial access to specific victim networks, the advisory said. 

"The ACSC is aware of numerous incidents involving LockBit and its successor 'LockBit 2.0' in Australia since 2020. The majority of victims known to the ACSC have been reported after July 2021, indicating a sharp and significant increase in domestic victims in comparison to other tracked ransomware variants," the release added. 

"The ACSC has observed LockBit affiliates successfully deploying ransomware on corporate systems in a variety of sectors including professional services, construction, manufacturing, retail and food."

In June, the Prodaft Threat Intelligence team published a report examining LockBit's RaaS structure and its affiliate's proclivity toward buying Remote Desktop Protocol access to servers as an initial attack vector. 

The group generally demands an average of $85 000 from victims, and about one third goes to the RaaS operators. More than 20% of victims on a dashboard seen by Prodaft researchers were in the software and services sector. 

"Commercial and professional services as well as the transportation sector also highly targeted by the LockBit group," Prodaft said.

UPDATE: After the timer went off on Wednesday afternoon, the group released the files it stole. There was no sensitive information in the leak and it was mostly made up of Accenture marketing material. 

The group has since reset the timer for Aug 12, 20:43 UTC, implying they may have more documents to leak. 

Editorial standards