Multinational Consulting Giant Hit by Ransomware Text

The story of the Hack and the protection

CPOC News Playlist with all the most actual news from Cyber Protection Operation Center. Spend just 10 minutes to get equipped for the next partner’s call!

1. With more than half a million employees and an annual revenue of more than US$44 billion, Fortune Global 500 company, Accenture, has become the latest victim of LockBit ransomware. The attackers made off with over 6TB of data, and are demanding US$50 million in ransom. Acronis Cyber Protect detects and blocks the behavior of ransomware like LockBit.

2. Three recently patched vulnerabilities in Microsoft Exchange Server could be chained to lead to unauthenticated remote code execution on vulnerable servers. The Patch Management included in Acronis Cyber Protect helps to keep your systems updated with the latest security patches, quickly and easily from a single web console.

3. The ransomware gang RansomEXX has landed successful attacks on two high-value targets: Taiwanese motherboard maker Gigabyte and Italian luxury fashion house Zegna. RansomeEXX is claiming 112GB of stolen data from Gigabyte and close to 21GB of data from Zegna. Acronis Cyber Protect’s Active Protection recognizes and stops RansomExx.

4. The BlackMatter ransomware group is expanding to Linux VMware ESXi servers. Acronis Cyber Protect provides behavior-based detection which blocks ransomware threats, before they can do any damage, on Windows, Mac or Linux operating system.

5. Researchers identified a new strain of the Golang crypto-worm that is being detected close to half a million times per month on victim machines. Acronis Cyber Protect’s Active Protection recognizes cryptojacking behavior and stops it before your electric bills increase, or equipment is damaged.

Video link to Cyber Protection Operation’s Center update on this topic

•  The multinational tech consulting firm, Accenture, has become the latest victim of the LockBit ransomware gang. With more than half a million employees, and an annual revenue of over US$44 billion, Accenture is a Fortune Global 500 company, providing services to major clients including Cisco, Alibaba, and Google.

• The attackers left an ultimatum of paying by 5:30 PM on Wednesday, but without specifying the time zone. In an unusual move for recent ransomware attacks, only the name and logo of the victim was published on the gang’s dark web site, without immediately including any files as proof of the attack.

• LockBit appears to have gotten away with as much as 6TB of data in the attack, and are demanding a ransom of US$50 million. Accenture restored data from backups, and has stated that there was no significant impact to normal operations.

• The Active Protection included in Acronis Cyber Protect detects and blocks the behavior of ransomware like LockBit, keeping your data safe, and your systems operational.

Video link to Cyber Protection Operation’s Center update on this topic

• A set of three vulnerabilities in Microsoft Exchange Server could be chained, allowing an attacker to perform unauthenticated remote code execution. This potential to run arbitrary code and commands on victim machines already has threat actors scanning for vulnerable servers.

• Two of the three vulnerabilities were patched as part of the April Microsoft Patch Tuesday bug fixes, and the third vulnerability was patched in May. Despite patches being available, Exchange honeypots are showing that attackers are actively searching for and exploiting these vulnerabilities on unpatched servers as recently as the last couple of weeks.

• Exchange Server is one of the top email solutions for businesses, with over 400,000 Exchange Servers exposed to the internet. This makes Exchange a valuable target for attackers, especially when they are able to run any code that they want on the victim servers.

• The best way to protect against these vulnerabilities is to ensure your Exchange Servers have received the security patches. Acronis Cyber Protect makes updating Exchange Server simple with the included Patch Management, allowing you to select the systems to patch, and the patches to apply, from a single web console.

Video link to Cyber Protection Operation’s Center update on this topic

• The ransomware gang RansomEXX has landed successful attacks on two high-value targets: Taiwanese motherboard maker Gigabyte and Italian luxury fashion house Zegna.

• RansomEXX is claiming 112GB of stolen data from Gigabyte and close to 21GB of data from Zegna.

• While Gigabyte has not released any information on the attack, the private leak page has been located and strongly indicates that the company has been successfully attacked. Further, portions of Gigabytes infrastructure and websites were offline recently which is another indicator of a ransomware attack.

• RansomEXX has been around since 2018 under another name, Defray, until they rebranded in 2020. Regardless, their ransomware follows known behaviors and Acronis Cyber Protect’s Active Protection recognizes and stops it.

Video link to Cyber Protection Operation’s Center update on this topic

• BlackMatter ransomware group, which is believed to have emerged out of the DarkSide group, has added a module to encrypt Linux VMware ESXi servers. This follows the pattern of other ransomware groups such as REvil, Babuk or RansomExx, which all have Linux variants as well.

• The ransomware added a VMware ESXi library for their ELF 64-bit encryptor. This allows them to list all VM hosts and shut them down, before encrypting their images.

• The group openly searches for people that can provide access to corporate networks of companies with more than US$100 million in revenue.

• Acronis Cyber Protect provides Active Protection, which blocks ransomware threats on Windows, Mac, or Linux operating system, based on the exhibited behaviors, before they can do any damage.

Video link to Cyber Protection Operation’s Center update on this topic

• Researchers identified a new strain of the Golang crypto-worm that is now faster and more efficient by 15%.

• Cryptojacking, which is a heavily under-reported issue, is detected close half a million times on victim’s machines monthly.

• Attackers using this worm are scanning for vulnerabilities in XML-RPC, provided by WordPress, and Oracle WebLogic Servers. On successful exploitation, XMRig is installed along with a worm that spreads it to other sensitive directories.

• Cryptojacking causes degradation and can lead to fatal system performance. Acronis Cyber Protect’s Active Protection recognizes cryptojacking behavior and stops it before your electric bills increase, or equipment is damaged.

Leave a Reply

Your email address will not be published.