Constructing automation large Johnson Controls is notifying people whose information was stolen in an enormous ransomware assault that impacted the corporate’s operations worldwide in September 2023.
Johnson Controls is a multinational conglomerate that develops and manufactures industrial management methods, security gear, HVAC methods, and hearth security gear for buildings. The corporate employs over 100,000 folks by its company operations and subsidiaries throughout 150 nations, reporting gross sales of $27.4 billion in 2024.
As BleepingComputer first reported, Johnson Controls was hit by a ransomware assault in September 2023, following a breach of the corporate’s Asian places of work in February 2023 and subsequent lateral motion by its community.
“Primarily based on our investigation, we decided that an unauthorized actor accessed sure Johnson Controls methods from February 1, 2023 to September 30, 2023 and took data from these methods,” the corporate says in data breach notification letters filed with California’s Lawyer Common, redacted to hide what data was stolen within the assault.
“After turning into conscious of the incident, we terminated the unauthorized actor’s entry to the affected methods. As well as, we engaged third-party cybersecurity specialists to additional examine and resolve the incident. We additionally notified legislation enforcement and publicly disclosed the incident in filings on September 27, 2023; November 13, 2023; and December 14, 2023.”
The cyberattack compelled Johnson Controls to close down giant parts of its IT infrastructure after the menace actors encrypted many gadgets, which affected its operations worldwide and customer-facing methods.
Johnson Controls confirmed in a January 2024 SEC submitting that the cyberattack was orchestrated by a ransomware gang that additionally stole paperwork from compromised methods through the breach.
Whereas the agency did not attribute the incident to a particular ransomware operation, the assault was linked to the Darkish Angels ransomware group based mostly on a pattern of a VMware ESXi encryptor deployed through the breach, which acknowledged that it was used in opposition to Johnson Controls.
BleepingComputer was additionally advised that the ransom notice linked to a negotiation chat the place the ransomware gang demanded $51 million for a decryptor and to delete information stolen from Johnson Controls’ community.
The ransomware operators additionally encrypted the corporate’s VMware ESXi digital machines through the assault and claimed to have stolen over 27 TB of paperwork containing company information.
On the time, the corporate acknowledged that bills associated to incident response and remediation had already reached $27 million, but in addition famous that it anticipated this quantity to extend because the investigation and remediation efforts progressed.
Darkish Angels, the ransomware operation behind Johnson Controls’ 2023 breach, surfaced in Could 2022 when it started focusing on organizations worldwide in double-extortion assaults. In these assaults, the group steals delicate information and makes use of it to stress victims below the specter of publishing it on-line on its darkish net leak web site, known as Dunghill Leaks.
Additionally they deploy ransomware to encrypt all gadgets on the community after getting access to the Home windows area controller, utilizing Home windows and VMware ESXi encryptors based mostly on leaked Babuk ransomware supply code.
Nonetheless, cybersecurity researcher MalwareHunterTeam advised BleepingComputer that the Linux encryptor used within the Johnson Controls assault was the identical as others utilized by Ragnar Locker ransomware since 2021.
Whereas cloud assaults could also be rising extra subtle, attackers nonetheless succeed with surprisingly easy strategies.
Drawing from Wiz’s detections throughout 1000’s of organizations, this report reveals 8 key strategies utilized by cloud-fluent menace actors.
