Even Accenture fell into the hands of the ransomware gangs: the large consulting multinational was hit by a cyber attack on the night of San Lorenzo. The authors claimed it with a post on their site on the Dark Web.
She is not the only one of the consulting big fours to have been attacked by cyber criminals from Lockbit 2.0, malicious software capable of installing itself on the victim’s systems preventing them from accessing files and resources until a ransom is paid.
Accenture hastily stated in a statement that “in the course of carrying out our security protocols we have identified irregular activity in one of our environments. The incident was promptly contained and the affected servers immediately isolated. There has been no impact on Accenture’s operations and our customers’ systems. ” Some foreign sources believe that the Italian section has not been compromised, but we will find out in the coming days.
For Accenture alone 17 thousand people work in Italy, and as customers it has all the largest Italian companies, indeed the top 500 in the world are all their customers. The criminal gang has threatened to disclose all data in their possession relating to employees and customers.
63 Tb of data published online
The counter to pay the ransom expired at 17.30 on 11 August and at 1.41 on the night between 11 and 12, the criminals reported that they had disclosed 63 TB of data stolen from Accenture, because the $ 50 million ransom was not paid; they explained that they were “helped by an intern”.
However it goes now, this one It won’t be the last time we hear about Lockbit, as we had already written. In recent weeks, Lockbit 2.0’s target have been other manufacturing and industrial companies in our country: Terribly, which produces and transports energy, Acquazzurra Firenze, Csp Mold, Mascherpa Tecnologie Gestionali, GiCinque Srl and some others.
Points to be clarified
The attack on the Lazio Region, the backup that saves everything and the doubts about the ransom
by Alessandro Longo
How does Lockbit 2.0 work?
As a quick report by Telsy, an Italian company specializing in infrastructure protection and in the development of cybersecurity technologies, this ransomware first appeared in the cyber threat landscape in September 2019, evolving over the years with the introduction of new features up to the implementation of a Ransomware as a Service model (in acronym, RaaS).
Put simply, ransomware developers rent variants of ransomware in the same way that legitimate software developers rent their products in the cloud. This pay-as-you-go (or rented) software offers everyone, even people without much technical knowledge, the ability to launch ransomware attacks simply by registering for a service. After gaining access to the target company’s servers, LockBit starts the enumeration process and tries to identify mission-critical systems such as domain controllers, backup servers or video photo storage devices (they call them Nas, Network Attache Storage). When they log on to the domain controller, a dedicated server that handles user requests to access certain information or specific areas of the system, Lockbit independently creates new rules (the so-called group policies) for all computers in the domain, disabling the real-time protection of Microsoft Defender, alerts, sending reports and all those predefined actions that are carried out following the detection of malicious files.
When the encryption process is complete, LockBit releases a ransom note called Restore-My-Files.txt in all infected directories. The ransom note also contains a link to a payment portal where victims can chat with cybercriminals and access a free service to verify that attackers have a legitimate copy of the decryption key.
According to computer scientist Emanuele De Lucia, an expert on analysis of the cyber threats of the startup Cluster25, behind Lockbit there would be a criminal group of twenty or thirty people, almost all Russian-speaking, who exchange techniques, tools and advice on the victims to attack in the Exploit.in forum.
The attack on the Lazio Region started from the PC of an employee in smartworking
by Arturo Di Corinto, Bruno Ruffilli
Various can be traced back to Lockbit 2.0 computer violations in Italy, and the connection point would be a twenty-year-old Russian known in criminal forums as Eastfarmer: according to some reconstructions, he could be at the origin of the theft of credentials that allowed the attack on the Lazio Region passing through servers located in Sardinia who had weak login credentials and would have been overcome with a brute force attack, i.e. trying and retrying username and password to access the system.
Later the criminals would have sold this information to the Ransomeex group, the one who then asked the Region for ransom. Pending evidence from the Postal Police, the conditional here is a must.
.