Ransomware group demands $51 million from Johnson Controls after cyber attack

Johnson Controls, a multinational conglomerate that secures industrial control systems, security equipment, fire safety and air conditioning systems, has been hit by a massive cyber attack.

The company, which employs over 100,000 people around the world, suffered a ransomware attack over the weekend which left data encrypted and caused it to shut down sections of its IT infrastructure.

The Dark Angels ransomware group has claimed responsibility for the attack, and claims to have exfiltrated over 25 TB of data from the organisation.  The threat?  If a whopping $51 million ransom is not paid, Dark Angels say that the stolen data will be published on the "Dunghill Leaks" site.

In an SEC filing, Johnson Controls confirmed that it had "experienced disruptions in portions of its internal IT infrastructure and applications" as a result of the ransomware attack.

Johnson Controls says that it brought in external cybersecurity experts after it became aware of the issue, and "is also coordinating with its insurers."

The company says it is implementing incident response plans and "including implementing remediation measures to mitigate the impact of the incident."

Whether this means that Johnson Controls will be prepared to pay a ransom or not (one presumes that if they were they would at least ask negotiators to attempt to get a lower price) remains to be seen.

However, it should be borne in mind that many of Johnson Controls's customers are using them to secure state and federal buildings, as well as critical infrastructure.  As such, it can easily be argued that the attack (and potential release of exfiltration of highly sensitive data) could be considered a risk to national security.

As such, the Dark Angels ransomware gang may have bitten off more than they can chew by targeting a company like Johnson Controls.  It's very likely that law enforcement agencies will put considerable effort into attempting to identify those responsible for the attack and bring them to justice.

My hunch is that the Dark Angels group were being rather optimistic when in their extortion message to Johnson Controls they insisted that "co-operating with the FBI, CISA, and so on and involving their officers in negotiations" was "strictly forbidden" and would result in them ending negotiations and result in all of the leaked data being published for free.

Johnson Controls says that the attack "has caused, and is expected to continue to cause, disruption to parts of the company’s business operations," although it is unknown at this point whether it will have an impact on its financial results.