The Lockbit gang has released supposedly confidential documents from consulting giant Accenture. But their promise of content doesn’t seem to be fulfilled
At 5:30 p.m. on August 11, consulting giant Accenture certainly had its eyes on the Lockbit gang blog. Hosted on a .onion site, accessible only through the Tor network (a part of the Internet commonly referred to as the “Dark Web”), this site is used by cybercriminals to blackmail information disclosure.
Precisely, in a message published on the night of August 10 to 11 spotted by the Parisian, Lockbit affirmed that he held confidential information on Accenture. Countdown started, he threatened to sell them to other thugs, then to publish them: ” I really hope their services are better than what we have seen from the inside. If you are interested in purchasing databases, please contact us. “
At the end of the countdown, the uploading of documents has… failed. After redoing the manipulation, the gang finally managed to make the files available. The Record Media, which scanned them on the surface, explains that they found only brochures presenting Accenture products, internal training sheets and other marketing files… In short, no confidential document.
Double extortion
Like the majority of gangs that operate ransomware, Lockbit works in two ways. Once a victim is infected with its malware capable of paralyzing an entire computer network, the group offers to unlock it in exchange for a ransom. For large groups the size of Accenture, demand can exceed several million or even tens of millions of euros.
But if the company does not give in to blackmail – as the majority of specialists advise – then the gang will threaten it with divulging confidential company information. He will have taken care to make a copy of the files present on the infected machines before triggering his ransomware. As a result, victims risk exposure of customer contracts, strategic documents or sensitive data on their employees.
In addition to damaging the company’s reputation, this kind of leak can also trigger other cyber attacks according to the documents exposed. According to the company Cyble, the cybercriminals had demanded payment of $ 50 million to retract the publication of 6 terabytes of data.
The double extortion scheme used by Lockbit was first popularized by the Maze gang in 2018. Today, it is a common practice, and cybercriminals are quick to take their threats even further. In other words, the incident facing Accenture is a priori a ransomware incident like any other.
Minimal impact
” As usual, let’s be calm, Accenture probably has 5,257 different departments and the impact of the extortion will be limited. “, Already tempered researcher Kevin Beaumont on Twitter before the end of the countdown. Although deliberately exaggerated, his observation reflects a reality: when cybercriminals deploy ransomware, they do not necessarily manage to reach the entire network of their victims. In other words, the cyber attack can be limited to a small part of the network, without reaching the one where the consulting activity is hosted. As a result: the true value of their loot is difficult to estimate until the extent of the cyberattack is known. And precisely, Accenture, which offers services and insurance in the face of this kind of incident, should in theory be properly prepared.
At Le Parisien, Accenture confirms having ” identified irregular activity “, But asserts that there is” no impactt ”on its operations and those of its customers. The company does not use the term “ransomware”, although it explains to the Bleeping Computer that it has ” fully restored affected systems from its backups », After having identified and isolated them. In short, Accenture downplays – rightly so, it seems – the impact of the cyberattack it suffered.
