top of page

Multinational Conglomerate Johnson Controls Hit by Massive Ransomware Attack, Disrupting Operations

Updated: Oct 5, 2023

Over the weekend, multinational conglomerate Johnson Controls International fell victim to a massive ransomware attack, resulting in the encryption of numerous company devices, including critical VMware ESXi servers. The attack, initially stemming from a breach at the company's Asia offices, has had far-reaching implications, impacting not only Johnson Controls but also its subsidiaries, including York, Simplex, and Ruskin.

As a result of the cyberattack, several subsidiaries have been forced to display technical outage messages on their website login pages and customer portals. These outages have created disruptions in services, with the affected companies actively working to mitigate potential impacts and restore normal operations. The attack has underscored the vulnerability of even major corporations to increasingly sophisticated cyber threats.

The ransomware group responsible for the attack, Dark Angels, has gained notoriety in recent months for its global targeting of organizations. Dark Angels typically infiltrates corporate networks, moves laterally within them, and exfiltrates data from file servers to facilitate double-extortion attacks. Once access to the Windows domain controller is secured, the group deploys ransomware to encrypt all devices on the network.

Interestingly, Dark Angels initially utilized Windows and VMware ESXi encryptors based on the source code leak for the Babuk ransomware. However, cybersecurity researchers have revealed that the Linux encryptor used in the Johnson Controls attack is consistent with those employed by Ragnar Locker since 2021.

Furthermore, Dark Angels operates a data leak site called 'Dunghill Leaks,' which is used to extort victims by threatening to release stolen data if a ransom is not paid. The site currently lists nine victims, including major companies like Sabre and Sysco, both of which recently disclosed cyberattacks.

This incident serves as a stark reminder of the evolving and persistent threat landscape faced by organizations worldwide. As cybercriminals continue to develop new tactics and target high-profile entities, the need for robust cybersecurity measures and vigilant defenses remains paramount. "Organizations should turn to low-code automation to prevent the chances of a targeted cyberattack such as the one on the Johnson Controls. Utilizing the power of this type of automation removes the need for heavy coding from the user and gives security teams time back to focus on triaging alerts and proactively protecting assets.

Security automation also helps reduce organizational risk by reducing the need for human intervention when it comes to threat detection and incident response activities.” -- Nick Tausek, Lead Security Automation Architect at Swimlane ###


bottom of page