Constructing automation big Johnson Controls is notifying people whose information was stolen in an enormous ransomware assault that impacted the corporate’s operations worldwide in September 2023.
Johnson Controls is a multinational conglomerate that develops and manufactures industrial management programs, safety gear, HVAC programs, and fireplace security gear for buildings. The corporate employs over 100,000 individuals by means of its company operations and subsidiaries throughout 150 nations, reporting gross sales of $27.4 billion in 2024.
As BleepingComputer first reported, Johnson Controls was hit by a ransomware assault in September 2023, following a breach of the corporate’s Asian places of work in February 2023 and subsequent lateral motion by means of its community.
“Based mostly on our investigation, we decided that an unauthorized actor accessed sure Johnson Controls programs from February 1, 2023 to September 30, 2023 and took info from these programs,” the corporate says in information breach notification letters filed with California’s Lawyer Common, redacted to hide what info was stolen within the assault.
“After turning into conscious of the incident, we terminated the unauthorized actor’s entry to the affected programs. As well as, we engaged third-party cybersecurity specialists to additional examine and resolve the incident. We additionally notified legislation enforcement and publicly disclosed the incident in filings on September 27, 2023; November 13, 2023; and December 14, 2023.”
The cyberattack pressured Johnson Controls to close down giant parts of its IT infrastructure after the menace actors encrypted many gadgets, which affected its operations worldwide and customer-facing programs.
Johnson Controls confirmed in a January 2024 SEC submitting that the cyberattack was orchestrated by a ransomware gang that additionally stole paperwork from compromised programs in the course of the breach.
Whereas the agency did not attribute the incident to a particular ransomware operation, the assault was linked to the Darkish Angels ransomware group based mostly on a pattern of a VMware ESXi encryptor deployed in the course of the breach, which said that it was used towards Johnson Controls.
BleepingComputer was additionally advised that the ransom notice linked to a negotiation chat the place the ransomware gang demanded $51 million for a decryptor and to delete information stolen from Johnson Controls’ community.
The ransomware operators additionally encrypted the corporate’s VMware ESXi digital machines in the course of the assault and claimed to have stolen over 27 TB of paperwork containing company information.
On the time, the corporate said that bills associated to incident response and remediation had already reached $27 million, but in addition famous that it anticipated this quantity to extend because the investigation and remediation efforts progressed.
Darkish Angels, the ransomware operation behind Johnson Controls’ 2023 breach, surfaced in Might 2022 when it started focusing on organizations worldwide in double-extortion assaults. In these assaults, the group steals delicate information and makes use of it to stress victims beneath the specter of publishing it on-line on its darkish internet leak website, known as Dunghill Leaks.
In addition they deploy ransomware to encrypt all gadgets on the community after having access to the Home windows area controller, utilizing Home windows and VMware ESXi encryptors based mostly on leaked Babuk ransomware supply code.
Nevertheless, cybersecurity researcher MalwareHunterTeam advised BleepingComputer that the Linux encryptor used within the Johnson Controls assault was the identical as others utilized by Ragnar Locker ransomware since 2021.
Whereas cloud assaults could also be rising extra refined, attackers nonetheless succeed with surprisingly easy methods.
Drawing from Wiz’s detections throughout hundreds of organizations, this report reveals 8 key methods utilized by cloud-fluent menace actors.
