{"id":71474,"date":"2022-11-07T09:09:58","date_gmt":"2022-11-07T01:09:58","guid":{"rendered":"https:\/\/x-phy.com\/?p=71474"},"modified":"2025-10-02T06:58:27","modified_gmt":"2025-10-02T06:58:27","slug":"lockbit-ransomware","status":"publish","type":"post","link":"https:\/\/x-phy.com\/lockbit-ransomware\/","title":{"rendered":"LockBit Ransomware \u2013 A Use Case Of Accenture"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

LockBit ransomware gang recently hit Accenture, one of the top technological consulting organizations in the world.<\/p>

The Dublin-based company cited that the attack was not classified as a\u00a0ransomware attack<\/a>\u00a0since they claimed that their operations were not affected.<\/p>

According to one of their representatives, Stacey Jones, Accenture’s security controls and protocols spotted abnormal behavior in one of their settings. The issue was quickly resolved, and the impacted servers were separated. All of the afflicted systems were entirely recovered from backups. Neither Accenture’s operations nor their client’s systems were impacted.<\/p>

Russian ransomware gang, which operates in\u00a0ransomware-as-a-service<\/a>\u00a0model, claimed responsibility for the attack. The attackers demanded $50 million in ransom for six terabytes of data.<\/p>

According to VX Underground, a company that says it has the largest collection of malware source codes globally, tweeted that LockBit shared more than 2000 files to the dark web for a brief time. The files contained case studies and presentations.
A screenshot from the ransomware operator’s dark web page where they had revealed the attack shows the attackers mentioning that Accenture’s security services were not at the level they could expect. This could highly affect the company’s reputation since it shows a bad picture to Accenture’s clients who share their valuable and confidential data with the company.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"accenture\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

How LockBit Ransomware works<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

LockBit ransomware gang uses ransomware-as-a-service model whereby it is offered to others based on an affiliate model. If an attack goes through and a ransom is paid, the payments are shared between the gang and the entities behind the attack.<\/p>

Once a single host in a network is affected, the ransomware can scan the network and infect other devices that are accessible in the network. The ransomware also uses windows native tools and protocols making it very difficult for endpoint security tools to identify it as malicious.<\/p>

Here is a summary of how the ransomware works;<\/p>

1. Entry into Victim’s machines<\/strong><\/p>

The attackers find a way to get into the victim’s system by\u00a0brute force<\/a>\u00a0or through phishing emails.<\/p>

2. Lateral movement and internal reconnaissance<\/strong><\/p>

An internal Ip address over DCE-RPC starts performing WMI commands to multiple internal destinations. The command is followed by many other WMI commands over the DCE-RPC, which happen throughout the encryption process.<\/p>

The infected device starts to write executable files over SMB to hidden shares on multiple destinations.<\/p>

The ability to write this means that the ransomware escalates privileges to act as admin.<\/p>

If not able to escalate privileges, the ransomware attempts to bypass Windows User Account Control.
The WMI commands continue, and the writing of executable files continues in different hidden destinations (Windows\/Temp).<\/p>

3. File Encryption<\/strong><\/p>

The ransomware starts encrypting files while appending the .lockbit extension. At the same time, it continues utilizing the SMB to share to other devices via srvsvc and scanning critical TCP ports.<\/p>

The ransomware continues to adopt new features making it more complicated and harder to detect. For example, recent ransomware variants have started to adopt the double extortion method whereby they perform\u00a0data breaches<\/a>\u00a0before encrypting victim’s systems.<\/p>

Stolen data may be published or sold to competitors if requested ransoms are not paid. This adds more pressure for the victims to pay.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t

X-PHY\u00ae<\/sup> Protection against LockBit Ransomware<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

X-PHY\u00ae<\/sup> engineers<\/a> took LockBit ransomware and tested it with X-PHY\u00ae<\/sup> and a normal SSD to see the response. In less than 5 seconds, X-PHY\u00ae<\/sup> stopped the attack dead in its tracks, locked all data keeping it untouched, and immediately notified the user via email and OTP.<\/p>

In the normal SSD, all data was compromised, and the PC could not boot up. It just showed the following pop-up screen;<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tWhen tested with X-PHY\u00ae<\/sup>, the ransomware was detected within 5 seconds and the SSD was locked.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

On locking the SSD,\u00a0X-PHY\u00ae<\/a>\u00a0notifies the user via email that a ransomware attack has been detected and the device locked.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tTo unlock X-PHY\u00ae<\/sup>, the user will have to use connected duo authentication to unlock X-PHY\u00ae<\/sup>, otherwise, it remains locked. After unlocking, X-PHY\u00ae<\/sup> will have recorded all events in the event log, and the user can now access data in a normal way.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

As attackers utilise more sophisticated attack techniques, it is becoming harder and harder for companies to stay ahead of the attacker’s techniques and keep their data secure from cyberattacks. That’s why we brought X-PHY\u00ae<\/sup> to you, it automatically detects suspicious behavior since it is highly trained with huge databases of malware to understand all possible behavior for malware.<\/p>

Related:<\/p>

HelloKitty Ransomware Prevention with X-PHY SSD<\/a><\/strong><\/p>

What is WannaCry ransomware and How to protect your data from the WannaCry ransomware?<\/a><\/strong><\/p>

X-PHY\u00ae<\/sup> AI core is placed closest to your data and is highly trained to protect you from any threat that can touch your data.<\/p>

X-PHY\u00ae<\/sup> Response Flow<\/strong><\/p>