RaaS Company Lockbit reportedly compromises multi-national group Accenture
Extortion. That’s what Ransomware is. It’s extortion.
And possibly later blackmail.
Ransomware is very similar to “data kidnapping” for lack of a better phrase. Ransomware involves taking something that isn’t yours and then returning it for money or using it to directly blackmail individuals, vendors, companies and/or company executives.
Call it what you want, give it whatever romantic, freedom-fighter aura that you think fit, but it’s still very much a crime. A quickly accelerating trend of an exploding issue that’s being faced by enterprise-level technology users across the globe.
Accenture, a global IT consultancy giant appears to be the latest group allegedly hit by a ransomware cyberattack from the LockBit Ransomware Gang. Accenture, the IT giant is known to serve a wide range of industries including automobiles, banks, government, technology, energy, and telecoms to name a few. Currently valued at $44.3 billion, Accenture is one of the world’s largest tech consulting companies with more than 560,000 employees operating across at least 50 countries.
So What Happened? How is this even possible?
The notice left behind by LockBit said this:
“These people are beyond privacy and security,
I really hope their services are better than what I saw as an insider.
If you’re interested in buying some databases, reach us.”
Posted by Lockbit
Surely, they were protected, right? I’m sure they were…
But you can’t protect against an inside job. Come to find out, they’re called affiliate agents, or simply, affiliates.
Breakdown of a Successful Ransomware Attack
Before we get into the intricacies of what makes LockBit and the LockBit 2.0 Software unique, let’s just have a quick look at the overall ransomware process to make sure we’re on the same page.
- Executing the Ransomware Attack:
The first move in a Ransomware attack is to get inside a computer system. Period.
Once inside, the attacking party will find, extract, and recover what they feel is the most sensitive information and worth the most value. When this collection process is complete, an RaaS company will activate their software which then renders the victim’s system inoperable, typically through encryption. They will then post a message and/or wallpaper background detailing the next steps a victim needs to do to recover lost data. Also known as ransom demands of course.
So that’s the first part, before anything else, an attacker needs to gain access to a system. Without that, there is not a problem.
- Executing the Payment Leverage:
First, an RaaS company will try to simply sell their data encryption key, which at face value will allow the victim access to their taken or encrypted data. However, companies at the level of Accenture do have very advanced ways to restore their information from backups and will often refuse to pay, or even communicate, with the attackers.
At this point, attackers are left with a few options, including threats of phishing their siphoned data or more commonly, reselling it to the highest bidder. Over time, threats and tactics can escalate to performing DDoS attacks on victims’ networks and websites, emailing customers and journalists, and threatening to contact stock exchanges and legal groups. Worse yet, while these attacks are ongoing, the employees and customers are usually the last to know what is happening. In an instant, their data and organizational reputation are in jeopardy.
The Threat of Exposure is the Catalyst
The threat of exposing the secrets, customers, and internal communications of a global heavyweight like Accenture is an excellent example of the state of enterprise Cybersecurity today. Trade secrets, email conversations, employee files, whitepapers and classified documents are said to fetch millions of dollars in ransom to protect both data and reputation. It very much shows the precarious position a company is quickly put under, the potential for future attacks and the still unforged path to complete threat closure. Closure in itself is a tricky word, CBS News reports an estimated 80% of victim companies suffer repeat attacks.
Snapshot of a Cybercriminal Gang: The LockBit RaaS Affiliate Model
LockBit is a cybercriminal gang that operates on a ransomware-as-a-service (RaaS) model. Similar groups from the past include both DarkSide and REvil, farming out subscription kits to those meeting any financial considerations. The difference here with traditional ransomware, is that LockBit offers its ransomware use platform for other entities or individuals to use based on an affiliate model. Any ransom payments received from using LockBit are divided between the customer directing the attack and the LockBit gang.
On average, LockBit affiliates request roughly $85,000 from each victim, 10 – 30% of which goes to the RaaS operators, and access to the ransomware now infecting thousands of devices worldwide.
It’s thought that the LockBit ransomware gang is now actively recruiting insiders to help them breach and encrypt networks and according to several reports, this may be a shift from the standard ransomware-as-a-service model to cut out the middleman and keep more of the ransom profit for themselves.
LockBit is categorized as related to the LockerGoga and MegaCortex malware families as it shares common tactics, techniques, and procedures (TTPs) with these malicious attacks. Most notably the ability to propagate automatically to new targets, being used in targeted attacks rather than just spamming or indiscriminate distribution, and even in the underlying tools it relies on, such as Windows PowerShell and the Server Message Block (SMB), which is the standard protocol Windows uses to share files, printers and serial ports.
Accenture Price of Recovery: 6 Terabytes/$50 Million
In this case, Lockbit allegedly took 6TB of files and for the safe return, is asking for $50 million. Another interesting aspect to this case is they claim to have gotten access to Accenture’s network via a corporate “insider.” This insider approach is growing in popularity, targeting external IT consultants and disgruntled employees with the promises of millions of dollars for anyone helping them gain access for attack. These are the previously mentioned affiliates, because again, that’s the main challenge of a ransomware attack, gaining access.
For historical note, this isn’t the first time this has happened. In August 2020, you may remember when the FBI arrested a Russian national for attempting to recruit a Tesla employee to plant malware in Tesla’s Nevada Gigafactoy.
Forensic Investigations Tell a LOT about the Process
Forensic investigations of machines attacked by LockBit affiliates show that threat groups will often first try to identify “mission-critical” systems including NAS devices, backup servers, and domain controllers. Data extraction then begins, and packages are usually uploaded to services including MEGA’s cloud storage platform. The investigation (view report here) revealed that LockBit affiliates most often will buy Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) accesses to servers as an initial attack technique, although they may also use typical phishing and credential stuffing techniques. These kinds of tailored access services can be purchased as low as $5, making this approach very lucrative for affiliates, as well as third-party exploits. These exploits are also used to compromise vulnerable systems, including big Fortinet VPN vulnerabilities that remain to be patched on target machines. Like company desktops and servers.
A LockBit sample is typically deployed manually, and files are encrypted with a generated AES key. Backups are deleted and the system wallpaper is changed to a ransom note containing a link to Dark Web (.onion) website address, which is where a victim can purchase the key, decryption software, or whatever solution is available. The website typically also offers a decryption ‘trial,’ in which one small file be decrypted for free, however, this isn’t just to show that decryption is possible, it is also used to generate a decryptor for each victim.
When the victims reach out, attackers can open a chat window in the LockBit panel to talk to them. Conversations will often start with the ransom demand(s), payment deadline, payment type which is usually in Bitcoin (BTC) and even instructions on how to safely purchase cryptocurrency.
Sources familiar with the case say that Accenture has confirmed the ransomware attack to at least one CTI vendor, and that the IT services provider is in the process of notifying more clients. According to cybercrime intelligence firm Hudson Rock, Accenture has 2,500 comprised computers of both employees and partners, which comprises most of the information initially taken by LockBit.
It’s been reported by online resource Bleeping Computer that LockBit is most likely a new entrant to the ransomware cartel overseen by Maze, as they’ve “detected several LockBit affiliates are also working for other ransomware groups,” and that collaboration is “very likely” in this case. By joining forces to share advice, tactics, and a centralized data leak platform, ransomware operations can focus more on creating more sophisticated attacks and successful extortion attempts.
Are the Australians Leading the Way?
The Australian Cyber Security Centre (ACSC) began warning of the steep increase in LockBit 2.0 attacks just over a week ago, issuing a security report on August 5, 2021. This report noted big increases in LockBit threats about posting taken, sensitive data online. Most incoming reports happened after July 2021 and indicate a very sharp and significant increase in domestic victims compared to other previous variants.
The ACSC provides mitigations and suggestions focused on LockBit TTPs (Tactics, Techniques, and Procedures), which include:
- Enabling multifactor authentication (MFA) on all accounts to block the use of stolen credentials
- Encrypting sensitive data at rest to block exfiltration of sensitive information
- Segmenting corporate networks and restricting admin privileges to block lateral movement and privilege escalation attempts
- Maintaining daily backups to reduce a successful attack’s impact
- Patching internet facing Fortinet devices against CVE-2018-13379, a security bug heavily exploited by LockBit to breach networks
If this is happening to a billion-dollar company like Accenture, who you can guarantee took every precaution imaginable, then it can get to you. The end result is the same, and companies are often put in a lose-lose situation. If companies don’t manage by policy and tools dictating approved applications (like Microsoft Intune), software and devices, then third party exploits and insider practices are sure to continue. Contact us if you would like to discuss these ramifications on your business and we will find you solutions.
For organizations affected by these escalating ransomware attacks or who need assistance are advised to reach out using ACSC’s 1300 CYBER1 hotline.