Building automation giant Johnson Controls hit by ransomware attack - Bleeping Computer
2023-09-27 15:08 (EST)
Johnson Controls International has suffered what is described as a massive ransomware attack that encrypted many of the company devices, including VMware ESXi servers, impacting the company’s and its subsidiaries’ operations.
Johnson Controls is a multinational conglomerate that develops and manufactures industrial control systems, security equipment, air conditioners, and fire safety equipment.
The company employs 100,000 people through its corporate operations and subsidiaries, including York, Tyco, Luxaire, Coleman, Ruskin, Grinnel, and Simplex.
A weekend cyberattack
Yesterday, a source told BleepingComputer that Johnson Controls suffered a ransomware attack after initially being breached at its Asia offices.
BleepingComputer has since learned that the company suffered a cyberattack over the weekend that caused the company to shut down portions of its IT systems.
Since then, many of its subsidiaries, including York, Simplex, and Ruskin, have begun to display technical outage messages on website login pages and customer portals.
"We are currently experiencing IT outages that may limit some customer applications such as the Simplex Customer Portal," reads a message on the Simplex website.
"We are actively mitigating any potential impacts to our services and will remain in communication with customers as these outages are resolved."
Johnson Controls technical outage message on York website
Source: BleepingComputer
Customers of York, another Johnson Controls subsidiary, report that they are being told the company’s systems are down, with some stating they were told it was due to a cyberattack.
"Their computer system crashed over the weekend. Manufacturing and everything is down," a York customer posted to Reddit.
"I talked to our rep and he said someone hacked them," posted another customer.
This morning, Nextron Systems threat researcher Gameel Ali tweeted a sample of a Dark Angels VMware ESXi encryptor containing a ransom note stating it was used against Johnson Controls.
Dark Angels ransom note
Source: BleepingComputer
BleepingComputer has been told that the ransom note links to a negotiation chat where the ransomware gang demands $51 million to provide a decryptor and to delete stolen data.
The threat actors also claim to have stolen over 27 TB of corporate data and encrypted the companys VMWare ESXi virtual machines during the attack.
BleepingComputer has contacted Johnson Controls with questions regarding the attack but has not received a response.
Who is the Dark Angels ransomware gang?
Dark Angels is a ransomware operation launched in May 2022 when it began targeting organizations worldwide.
Like almost all human-operated ransomware gangs, Dark Angels breaches corporate networks and then spreads laterally through the network. During this time, the threat actors steal data from file servers to be used in double-extortion attacks.
When they gain access to the Windows domain controller, the threat actors deploy the ransomware to encrypt all devices on the network.
The threat actors initially used Windows and VMware ESXi encryptors based on the source code leak for the Babuk ransomware.
However, cybersecurity researcher MalwareHunterTeam tells BleepingComputer that the encryptor used in the Johnson Controls attack is the same as ones used by Ragnar Locker since 2021.
Dark Angels launched a data leak site in April 2023 called Dunghill Leaks that is used to extort its victims, threatening to leak data if a ransom is not paid.
Dark Angels Dunghill Leaks data leak site
Source: BleepingComputer
This extortion site currently lists nine victims, including Sabre and Sysco, who recently disclosed cyberattacks.
