Cyber Incident Victim: Kearney & Company
Date:
Nov 2022
Location:
United States of America
Summary
The LockBit 3.0 ransomware group compromised Kearney & Company, a government-focused CPA firm providing financial audit and consulting services, exfiltrating sensitive data including financial documents, contracts, audit reports, and billing records. The attackers threatened to publish the stolen information unless a $2 million ransom was paid, offering a 24-hour deadline extension for an additional $10,000 payment. This incident exemplified LockBit's pattern of targeting high-value entities with critical operational data to pressure ransom compliance.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around November 5, 2022, the LockBit 3.0 ransomware gang claimed responsibility for a cyberattack targeting Kearney & Company, a certified public accounting firm specializing in financial management services for U.S. government entities. The group added Kearney to its data leak site, threatening to publish stolen company data by November 26 unless a ransom was paid. Attackers released a sample of allegedly exfiltrated data containing financial documents, contracts, audit reports, and billing records. The gang demanded $2 million for permanent deletion of the stolen data and offered a 24-hour extension of the deadline for an additional $10,000 payment. Kearney & Company, which provides audit, consulting, and IT services to federal agencies, faced potential exposure of sensitive government-related financial operations materials. No official statement from the company regarding incident verification or negotiations was referenced in available information. The incident coincided with LockBit's claims of breaching other major organizations, including automotive supplier Continental and defense contractor Thales, during the same timeframe.
LockBit 3.0 operators, active since at least 2019, implemented updated tactics including a bug bounty program and cryptocurrency payment options through Zcash prior to this attack. The group maintained one of the most prolific ransomware operations at the time of the incident. The publication of financial and contractual documents posed immediate risks to Kearney's government client confidentiality and operational security. Potential impacts included compromised federal financial systems intelligence, contractual obligation exposures, and reputational damage affecting government contracting relationships. The absence of disclosed containment measures or recovery actions in source material left the final disposition of data and systems unresolved in public reporting. LockBit's established pattern of data auctioning and secondary extortion attempts against clients created additional exposure vectors beyond the initial breach.