BleepingComputer reports that multinational building automation conglomerate Johnson Controls had its operations, as well as those of its subsidiaries, disrupted by a significant ransomware attack claimed by the Dark Angels ransomware operation over the weekend that compromised its VMware ESXi servers and various other devices.
After having some of its IT systems taken down following the attack, technical outages have been disclosed by Johnson Controls subsidiaries Simplex, York, and Ruskin on their customer portals and website login pages. Moreover, one York customer posted on Reddit that all of the company's systems have been down after the intrusion.
Investigation into the extent of the attack is still underway, said Johnson Controls in a Form 8-K filed with the Securities and Exchange Commission.
Meanwhile, more than 27 TB of data were claimed to be stolen by Dark Angels ransomware, which also encrypted the firm's VMware ESXi machines. Johnson Controls has been demanded to pay $51 million as ransom by the group, which commenced operations in May 2022.
An In-Depth Guide to Ransomware
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Milan-based private investigations firm Equalize led by former top cop Carmine Gallo was reportedly behind the years-long hacking campaign, which was facilitated by bribes to police officers, remote access trojan compromise, and the breach of the Italian Interior Ministry computer system's maintenance personnel.
Most of the vulnerable CyberPanel implementations, which could be taken over using the security issue, were in the U.S., followed by Germany, Singapore, Indonesia, and India, according to threat intelligence search engine LeakIX.
Malicious emails delivered by attackers — who sometimes spoofed Microsoft employees or leveraged Microsoft- and Amazon Web Services-related social engineering lures — included Remote Desktop Protocol configuration files as attachments, which when executed established a connection between the targeted devices and the attacker-controlled server.