Johnson Controls International suffered from a so-called large-scale ransomware attack that encrypted many of the company's devices, including VMWareESXi servers, affecting the operations of the company and its subsidiaries. Johnson Controls is a global leader in the field of intelligent buildings, committed to creating safe, healthy, and sustainable spaces with a history of over 140 years

Johnson Controls International suffered from a so-called large-scale ransomware attack that encrypted many of the company's devices, including VMWareESXi servers, affecting the operations of the company and its subsidiaries. Johnson Controls is a global leader in the field of intelligent buildings, committed to creating safe, healthy, and sustainable spaces with a history of over 140 years. It mainly develops and manufactures industrial control systems, safety equipment, air conditioning, and fire safety equipment, providing future blueprints for industries such as healthcare, schools, data centers, airports, sports venues, hotels, and manufacturing. The company has 100000 employees through its operations and subsidiaries, including York, Tyco, Luxaire, Coleman, Ruskin, Grinnel, and Simplex, with customers in over 150 countries and regions worldwide. This attack has caused multiple subsidiaries, including York, Simplex, and Ruskin, to face technical issues, as evidenced by the technical interruption messages displayed on their respective website login pages and customer portals. However, Johnson Controls has not yet issued an official statement regarding the incident.

A cyber attack that occurred over the weekend

According to the FORM8-K document of the US cybersecurity incident report, Johnson Controls has officially reported the cybersecurity incident to regulatory authorities.

On the 26th, a source told BleepingComputer that Johnson Controls was initially attacked by ransomware at its Asian office.

BleepingComputer later learned that the company suffered a cyber attack over the weekend, which resulted in the company shutting down some of its IT systems.

Since then, many of its subsidiaries, including York, Simplex, and Ruskin, have started displaying technology interruption messages on website login pages and customer portals.

A message on the Simplex website reads: "We are currently experiencing IT outages that may limit certain customer applications, such as the Simplex customer portal

We are actively mitigating any potential impact on our services and will maintain communication with customers after resolving these interruption issues

Source: SleepingComputer)

A customer of York, another subsidiary of Johnson Controls, reported that they were informed that the company's system had crashed, and some of them stated that this was caused by a network attack.

A York client posted on Reddit saying, "Their computer system crashed over the weekend. Manufacturing and everything were paralyzed

Another customer posted, saying, "I talked to our representative and he said someone hacked them

On the morning of the 27th, NextronSystems threatened researcher GameelAli to post a sample of the DarkAngelsVMwareESXi encryptor on Twitter, which contained a ransom note claiming that the sample was used against JohnsonControls.

Source: SleepingComputer)

BleepingComputer learned that the ransomware gang requested $51 million to provide a decryption device and delete stolen data, as the ransomware information was linked to a negotiation chat record.

The threat actor also claimed to have stolen over 27TB of company data and encrypted the company's VMWareESXi virtual machine during the attack.

BleepingComputer has contacted Johnson Controls to inquire about the attack, but has not received a response yet.

This is not the first time Johnson Controls has encountered a ransomware attack.In 2017, the company's surveillance camera located in Washington, D.C., which forms part of the closed circuit television system in public places, became a victim of ransomware. Another incident occurred in 2019, when Johnson Controls released a product security announcement due to a ransomware attack that exploited vulnerabilities in the Microsoft SMB protocol, which may affect certain Metasys installations. In response to these events, Johnson Controls even released a white paper focusing on reducing the risk of ransomware in intelligent buildings.

Who is the Dark Angels ransomware gang?

DarkAngels is a ransomware operations organization launched in May 2022, when it began targeting global organizations.

Like almost all human operated ransomware gangs, the 'Dark Angels' disrupt corporate networks and then spread horizontally through the network. During this period, the threatening actor stole data from the file server for use in dual ransomware attacks.

When threat actors gain access to Windows domain controllers, they deploy ransomware to encrypt all devices on the network.

According to the source code leakage of Babuk ransomware, the threat actor initially used Windows and VMwareESXi encryptors.

However, cybersecurity researcher MalwareHunterTeam told BleepingComputer that the Linux encryptor used in the Johnson Controls attack is the same as the encryptor used by RagnarLocker since 2021.

DarkAngels launched a data breach website called "DunghillLeaks" in April 2023 to extort victims, threatening to leak data if ransom is not paid.

Source: SleepingComputer)

The ransomware website currently lists 9 victims, including Sabre and Sysco, who recently disclosed cyber attacks.

Since the beginning of this year, international automation giants such as Schneider Electric, Siemens Energy, ABB, and Honeywell have encountered ransomware attacks. This time, it is Johnson Controls. The "lingering sound" of attacks on industrial automation manufacturers is likely to linger for months. After ABB was extorted, it adopted the method of spending money to alleviate the disaster, with a ransom of 51 million US dollars. How will Johnson respond?

Reference Resources

1
https://www.bleepingcomputer.com/news/security/building-automation-giant-johnson-controls-hit-by-ransomware-attack/

2
https://www.reddit.com/r/HVAC/comments/16t2876/anyone_know_about_johnson_controls/

3
https://seekingalpha.com/filing/7894954?hasComeFromMpArticle=false

4
https://beststocks.com/ransomware-attack-on-johnson-controls-interna/

Disclaimer: The content of this article is sourced from the internet. The copyright of the text, images, and other materials belongs to the original author. The platform reprints the materials for the purpose of conveying more information. The content of the article is for reference and learning only, and should not be used for commercial purposes. If it infringes on your legitimate rights and interests, please contact us promptly and we will handle it as soon as possible! We respect copyright and are committed to protecting it. Thank you for sharing.(Email:[email protected])