LockBit ransomware gang recently hit Accenture, one of the top technological consulting organizations in the world.
The Dublin-based company cited that the attack was not classified as a ransomware attack since they claimed that their operations were not affected.
According to one of their representatives, Stacey Jones, Accenture’s security controls and protocols spotted abnormal behavior in one of their settings. The issue was quickly resolved, and the impacted servers were separated. All of the afflicted systems were entirely recovered from backups. Neither Accenture’s operations nor their client’s systems were impacted.
Russian ransomware gang, which operates in ransomware-as-a-service model, claimed responsibility for the attack. The attackers demanded $50 million in ransom for six terabytes of data.
According to VX Underground, a company that says it has the largest collection of malware source codes globally, tweeted that LockBit shared more than 2000 files to the dark web for a brief time. The files contained case studies and presentations.
A screenshot from the ransomware operator’s dark web page where they had revealed the attack shows the attackers mentioning that Accenture’s security services were not at the level they could expect. This could highly affect the company’s reputation since it shows a bad picture to Accenture’s clients who share their valuable and confidential data with the company.
How LockBit Ransomware works
Once a single host in a network is affected, the ransomware can scan the network and infect other devices that are accessible in the network. The ransomware also uses windows native tools and protocols making it very difficult for endpoint security tools to identify it as malicious.
Here is a summary of how the ransomware works;
1. Entry into Victim’s machines
The attackers find a way to get into the victim’s system by brute force or through phishing emails.
2. Lateral movement and internal reconnaissance
An internal Ip address over DCE-RPC starts performing WMI commands to multiple internal destinations. The command is followed by many other WMI commands over the DCE-RPC, which happen throughout the encryption process.
The infected device starts to write executable files over SMB to hidden shares on multiple destinations.
The ability to write this means that the ransomware escalates privileges to act as admin.
If not able to escalate privileges, the ransomware attempts to bypass Windows User Account Control. The WMI commands continue, and the writing of executable files continues in different hidden destinations (Windows/Temp).
3. File Encryption
The ransomware starts encrypting files while appending the .lockbit extension. At the same time, it continues utilizing the SMB to share to other devices via srvsvc and scanning critical TCP ports.
The ransomware continues to adopt new features making it more complicated and harder to detect. For example, recent ransomware variants have started to adopt the double extortion method whereby they perform data breaches before encrypting victim’s systems.
Stolen data may be published or sold to competitors if requested ransoms are not paid. This adds more pressure for the victims to pay.
X-PHY® Protection against LockBit Ransomware
X-PHY® engineers took LockBit ransomware and tested it with X-PHY® and a normal SSD to see the response. In less than 5 seconds, X-PHY® stopped the attack dead in its tracks, locked all data keeping it untouched, and immediately notified the user via email and OTP.
In the normal SSD, all data was compromised, and the PC could not boot up. It just showed the following pop-up screen;
X-PHY® AI core is placed closest to your data and is highly trained to protect you from any threat that can touch your data.
X-PHY® Response Flow
- X-GUARD THREAT LOCK features SECURITY SCOUT and GUARDIAN PRO-X work together to stop any attempt by the ransomware to breach or clone your sensitive data.
- X-FILE FORENSIC AGENT features ACTIVE DETECTIVE and DEEP INVESTIGATION introduce extra file protection features by preventing any illegal data modifications. They also record all activities and the application behind them, making it easy for X-PHY® to identify suspicious actors.
- The other features trigger X-FACTOR ENCRYPTION LOCK after noticing suspicious activity to breach and/or to encrypt user data. KEYCODE 2-FACTOR feature within X-FACTOR ENCRYPTION LOCK locks down all the data in X-PHY® making it inaccessible to the ransomware.
- X-PHY® sends notifications to the user in their computer showing that ransomware has been detected. An email notification is also sent to the user simultaneously through the user’s registered email. The user will require OTP to unlock the SSD.
- X-PHY® records the attack activity in the event log, and will automatically stop any action with the same behavior in the future.