Massive Ransomware Attack at Johnson Controls

Johnson Controls International suffered a massive ransomware attack. The attack encrypted many of the company devices, including VMware ESXi servers, impacting the company’s and its subsidiaries’ operations. Johnson Controls shut down portions of its IT systems over the weekend. After which many of its subsidiaries, including York, Simplex, and Ruskin, begun to display technical outage messages on website login pages and customer portals.

Customers of York report that they are told the company’s systems are down. "Their computer system crashed over the weekend. Manufacturing and everything is down," a York customer posted to Reddit. "I talked to our rep and he said someone hacked them," posted another customer. This morning, Nextron Systems threat researcher Gameel Ali tweeted a sample of a Dark Angels VMw. BleepingComputer reports the ransom note links to a negotiation chat where the ransomware gang demands $51 million to provide a decryptor and to delete stolen data. The threat actors also claim to have stolen over 27 TB of corporate data and encrypted the company's VMWare ESXi virtual machines during the attack.

BleepingComputer reports that the Linux encryptor used in the Johnson Controls attack is the same as ones used by Ragnar Locker since 2021. They contacted Johnson Controls with questions regarding the attack but has not received a response.

Estimated Cost

>27TB data stolen; $51M ransomware demanded

Threat Source

Impacts

OT IT