Accenture Discloses Data Breach After LockBit Ransomware Attack

IT consultancy giant Accenture has confirmed that the LockBit Ransomware gang made off with data during an attack that hit its systems in August. The details of the heist were revealed in the company’s financial report for the fourth quarter and full fiscal year, which ended on August 31, 2021.

“In the past, we have experienced, and in the future, we may again experience, data security incidents resulting from unauthorized access to our and our service providers’ systems and unauthorized acquisition of our data and our clients’ data including inadvertent disclosure, misconfiguration of systems, phishing ransomware or malware attacks,” Accenture said.

“During the fourth quarter of fiscal 2021, we identified irregular activity in one of our environments, which included the extraction of proprietary information by a third party, some of which was made available to the public by the third party.

“In addition, our clients have experienced, and may in the future experience, breaches of systems and cloud-based services enabled by or provided by us.”

The LockBit Ransomware gang claimed that they stole 6TB of data from Accenture, after which they demanded a $50 million ransom.

Although Accenture has mentioned the attack within SEC filings and filed data breach notification letters, the company has yet to make a public statement of the LockBit Ransomware attack or acknowledge it in any other manner.

This likely means that the stolen data didn’t contain any personally identifiable information (PII) or protected health information (PHI) data which would’ve triggered regulatory notification requirements.

At the time of the LockBit Ransomware attack, Accenture managed to restore all affected systems from backups, with little impact on business operations.

In September, the company claims made by the LockBit Ransomware gang that network credentials belonging to customers were stolen.

In September, the company denied claims made by the LockBit gang that they also stole credentials belonging to Accenture customers that would enable them to compromise their networks.

“We have completed a thorough forensic review of documents on the attacked Accenture systems. This [LockBit’s] claim is false,” Accenture told researchers at BleepingComputer, denying that customer credentials were stolen in the August ransomware attack.

“As we have stated, there was no impact on Accenture’s operations, or on our client’s systems. As soon as we detected the presence of this threat actor, we isolated the affected servers.”

Accenture is a Fortune 500 company and one of the world’s largest IT services and consulting firms with more than 624,000 employees across 120 countries, providing services to a wide array of industry sectors, including banks, government, technology, energy, telecoms, and more.

LockBit Ransomware Analysis

NOTE: This analysis of Lockbit Ransomware was carried out by McAfee

The file found in the investigation of Lockbit Ransomware was a dropper renamed as a .png file. When first opening the .png files we were expecting a real image file, with perhaps some steganography inside, but what we saw instead was the header of a portable executable, so no steganography pictures this time. The PE was compiled in Microsoft Visual C# v7.0 / Basic .NET, .NET executable -> Microsoft.

Entropy-wise is tidy too, not showing any stray sections or big spikes in the graph. This behavior indicates that the writer of the Lockbit Ransomware did not use obfuscation.

This file is a .NET launcher. Examining the Main() function in the code shows that an array containing a particularly long AES encrypted base64 string (in the variable named ‘exeBuffer’) carries the executable for the actual ransomware.

This encrypted string is decrypted using the key ENCRYPTION29942. The first 32 bytes of the long ExeBuffer string are used as the salt in the encryption scheme, where ENCRYPTION29942 is the passphrase.

The script checks for the existence of vbc.exe on its designated host. Usually, this binary is a digitally signed executable from Microsoft; however, in this case, the malware uses it for process hollowing.

By statically analyzing the file we can spot the usage of:

• NtUnmapViewOfSection
• LockBit Ransomware uses this API in order to unmap the original code in execution
• NtWriteVirtualMemory
• The malware writes the base address of the injected image into the PEB via NtWriteVirtualMemory
• VirtualAllocEx
• To allocate the space before injecting the malicious code
• The VBC utility is the visual basic compiler for Windows and LockBit Ransomware uses it to compile and execute the code on the fly directly in execution. If the vbc utility does not exist on the system, the malware downloads the original vbc.exe file from the same malicious URL as seen before. After executing vbc.exe, the malware replaces the objects in memory with the code for deploying the ransomware (as deduced from the exeBuffer).

The list of services LockBit Ransomware tries to stop are:

• DefWatch (Symantec Antivirus)
• ccEvtMgr (Norton AntiVirus Event Manager)
• ccSetMgr (Common Client Settings Manager Service of Symantec)
• SavRoam (Symantec Antivirus)
• sqlserv
• sqlagent
• sqladhlp
• Culserver
• RTVscan (Symantec Antivirus Program)
• sqlbrowser
• SQLADHLP
• QBIDPService (QuickBooksby Intuit.)
• QuickBoooks.FCS (QuickBooksby Intuit.)
• QBCFMonitorService (QuickBooksby Intuit.)
• sqlwriter
• msmdsrv (Microsoft SQL Server Analysis or Microsoft SQL Server)
• tomcat6 (Apache Tomcat)
• zhundongfangyu (this belongs to the 360 security product from Qihoo company)
• vmware-usbarbitator64
• vmware-converter
• dbsrv12 (Creates, modifies, and deletes SQL Anywhere services.)
• dbeng8 (Sybase’s Adaptive Server Anywhere version 8 database program)
• wrapper (Java Service?)

If one of these services is found by the malware querying the status of it, with the function “QueryServiceStatusEx”, LockBit will get all the depending modules when correct and safe and it will stop the service with the function “ControlService”.

The ransom note is rather compact because the author hardcoded the content right in the code without using any obfuscation or encryption. The text file containing the ransom note is created in every directory after encryption and called Restore-My-Files.txt.