Ransomware Breach Exposes John W. Brooker Co. Client Data
Incident Date:
September 24, 2024
Overview
Title
Ransomware Breach Exposes John W. Brooker Co. Client Data
Victim
John W. Brooker Co., CPAs
Attacker
Cicada 3301
Location
First Reported
September 24, 2024
Ransomware Attack on John W. Brooker Co., CPAs by Cicada 3301
John W. Brooker Co., CPAs, a reputable accounting firm based in Oakland, California, has recently been targeted by the ransomware group Cicada 3301. The attack, which was publicly disclosed on September 15, resulted in the exfiltration of 64 GB of sensitive data. This breach highlights the growing cybersecurity threats faced by financial advisory firms.
About John W. Brooker Co., CPAs
Established over 42 years ago, John W. Brooker Co., CPAs specializes in providing accounting, tax planning, consulting, and financial advisory services. The firm primarily serves medical and dental professionals, legal firms, and other service-oriented businesses. With approximately $411.67 million in regulatory assets under management across 540 client accounts, the firm is recognized for its personalized service and long-term client relationships. Despite its small team of three employees, the firm has maintained a strong presence in the Bay Area, focusing on high-net-worth individuals and charitable organizations.
Details of the Ransomware Attack
The ransomware attack orchestrated by Cicada 3301 involved the exfiltration of a significant amount of data, which has been made available on a dark web site. The attack underscores the vulnerabilities of financial advisory firms, particularly those with valuable data and potentially weaker cybersecurity defenses. The stolen data could expose sensitive financial information of the firm's clients, posing a significant risk to their privacy and financial security.
About Cicada 3301
Cicada 3301 is a newly emerged Ransomware-as-a-Service (RaaS) and data broker group that first gained attention in mid-2024. Unlike traditional ransomware groups, Cicada 3301 focuses on exfiltrating and selling sensitive data rather than demanding quick ransom payments. Their operations involve a double-extortion model, threatening to release stolen data if demands are not met. The group is known for its sophisticated tactics, including the use of phishing campaigns and brute-forcing VPN credentials to gain initial access.
Potential Vulnerabilities and Penetration Methods
John W. Brooker Co., CPAs, like many small to medium-sized businesses, may have been targeted due to its valuable data and potentially vulnerable VPN environments. Cicada 3301's use of the Brutus botnet for brute-forcing VPN credentials and their focus on data exfiltration before encryption are indicative of their advanced operational capabilities. The firm's reliance on digital systems for managing client data could have made it an attractive target for such a sophisticated ransomware group.
Sources
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.