Ransomware Attacks Multinational Building Automation Company

The building automation company Johnson Controls has suffered a massive ransomware attack, according to BleepingComputer. Its VMware ESXi servers are encrypted, impacting the operations of its many subsidiaries, including York, Tyco, Luxaire, Coleman, Ruskin, Grinnel, and Simplex.

Customers of York reported being told the company’s systems were down due to the attack. “Their computer system crashed over the weekend. Manufacturing and everything is down,” a York customer posted to Reddit.

The incident was confirmed in a Form 8-K filing with the SEC. The form says the company is stating that they are working with external cybersecurity experts to investigate the incident and coordinating with insurers. It claims that to date many applications are largely unaffected and remain operational, and others are functional via workarounds for certain operations to mitigate disruptions and continue servicing its customers. Nevertheless, business operations were affected, and the timely release of fourth quarter and full fiscal year results, as well as the impact on financial results, are up in the air.

Johnson Controls is a multinational conglomerate that employs 100,000 people and develops and manufactures industrial control systems, security equipment, air conditioners, and fire safety equipment. It received a ransom note that links to a negotiation chat where a demand for $51 million to provide a decryptor and delete stolen data is posted.

The gang, tentatively identified as Dark Angel, claims it stole over 27 TB of corporate data. Dark Angels is a ransomware operation that launched in May 2022. It breaches corporate networks and then spreads laterally, stealing data from file servers to be used in double-extortion attacks.