Cyber Incident Victim: Johnson Controls International
Date:
Sep 2023
Location:
United States of America
Summary
Johnson Controls International suffered a significant ransomware attack by the Dark Angels gang, leading to widespread encryption of VMware ESXi servers and operational disruptions across its subsidiaries, including York and Simplex. The attackers demanded $51 million for a decryptor and data deletion while claiming theft of over 27 terabytes of corporate information. The company shut down portions of its IT infrastructure, causing customer portal outages and manufacturing halts, with workarounds implemented to maintain partial services. External cybersecurity experts and insurers were engaged to investigate the incident, assess data impacts, and mitigate business interruptions, though financial reporting delays were anticipated due to ongoing remediation efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Johnson Controls International, a multinational conglomerate specializing in industrial control systems, security equipment, and fire safety solutions, suffered a significant ransomware attack in late September 2023. The incident began with a breach targeting the company’s Asia offices, leading to widespread encryption of corporate devices—including VMware ESXi servers—over the weekend preceding September 24. Subsidiaries such as York, Simplex, and Ruskin experienced operational disruptions, with customer portals displaying outage messages and technical support systems becoming inaccessible. Customers reported manufacturing halts and system crashes, with some representatives attributing the issues to a cyberattack. The ransomware gang Dark Angels deployed encryptors based on leaked Babuk source code and a Linux variant previously linked to Ragnar Locker, while claiming to have exfiltrated over 27 terabytes of corporate data. Internal IT infrastructure and applications were partially shut down as Johnson Controls initiated containment measures, though many core applications remained operational.
The company activated its incident response plan following detection, engaging external cybersecurity experts and insurers to investigate the breach and mitigate impacts. Dark Angels demanded $51 million via a negotiation chat linked to their ransom note, threatening to leak stolen data through their "Dunghill Leaks" site if unpaid. Johnson Controls confirmed the cybersecurity incident in a September 27 SEC Form 8-K filing, disclosing ongoing business disruptions and potential delays to its fourth-quarter earnings report. Workarounds were implemented under business continuity plans to maintain customer services, but the attack continued to affect subsidiaries’ operations during remediation efforts. The ransomware group’s history of double-extortion tactics aligned with their claims of data theft and encryption during the intrusion. Johnson Controls emphasized assessment of compromised information and execution of remediation measures while refraining from publicly confirming payment negotiations or detailed forensic findings.