Johnson Controls Hit by $51 Million Dark Angels Ransomware Attack

Estimated read time 3 min read

Don’t you wonder how secure the companies responsible for industrial control systems, security equipment, and fire safety are? Johnson Controls International, a giant in these sectors, has just faced a crippling ransomware attack. We think it’s crucial for you to know what happened, how it impacts the company, and what it means for the cybersecurity landscape.

The Attack Unveiled

Johnson Controls is no small player; the multinational conglomerate employs 100,000 people and has several subsidiaries, including York, Tyco, Luxaire, Coleman, Ruskin, Grinnel, and Simplex. During the WannaCry Events, they clearly showed to invest in cybersecurity1.. so what happened?

Over the weekend, a source revealed to BleepingComputer2 that the company’s Asia offices were initially breached. This breach escalated into a ransomware attack that affected many of its subsidiaries.

For example, York and Simplex started showing technical outage messages on their website login pages. Customers are being told that the systems are down due to a cyberattack. One York customer even posted on Reddit, “Their computer system crashed over the weekend. Manufacturing and everything is down.”

The Ransomware Gang: Dark Angels

Who are the culprits? The Dark Angels ransomware gang has claimed responsibility for the attack. Launched in May 2022, they have been targeting organizations worldwide3. They specialize in double-extortion attacks, stealing data before encrypting devices.

This time, they demanded a hefty $51 million for a decryptor and to delete the stolen data. They claimed to have stolen over 27 TB of corporate data and encrypted the company’s VMware ESXi virtual machines. They have a notorious data leak site called ‘Dunghill Leaks,’ where they threaten to leak data if the ransom is not paid.

Impact and Recovery Efforts

What does this mean for Johnson Controls? The company confirmed the cybersecurity incident in a Form 8-K filing with the SEC4. They are working with external cybersecurity experts to investigate the attack and are coordinating with insurers.

Johnson Controls International plc (the “Company”) has experienced disruptions in portions of its internal information technology infrastructure and applications resulting from a cybersecurity incident. Promptly after detecting the issue, the Company began an investigation with assistance from leading external cybersecurity experts and is also coordinating with its insurers. The Company continues to assess what information was impacted and is executing its incident management and protection plan, including implementing remediation measures to mitigate the impact of the incident, and will continue taking additional steps as appropriate. To date, many of the Company’s applications are largely unaffected and remain operational. To the extent possible, and in line with its business continuity plans, the Company implemented workarounds for certain operations to mitigate disruptions and continue servicing its customers. However, the incident has caused, and is expected to continue to cause, disruption to parts of the Company’s business operations. The Company is assessing whether the incident will impact its ability to timely release its fourth quarter and full fiscal year results, as well as the impact to its financial results.


Many of the company’s applications remain operational, but the incident has caused, and is expected to continue to cause, disruptions to parts of the company’s business operations.

The $51 million ransomware attack on Johnson Controls International is a grim reminder of the vulnerabilities that even giants in the industrial and technological sectors face. With a ransom note, stolen data, and encrypted servers, the Dark Angels ransomware gang has shown that no one is safe. As Johnson Controls works on damage control and system restoration, the incident serves as a stark warning for other companies to bolster their cybersecurity measures.

  1. ↩︎
  2. ↩︎
  3. ↩︎
  4. ↩︎
Reza Rafati

Reza Rafati, based in the Netherlands, is the founder of An industry professional providing insightful commentary on infosec, cybercrime, cyberwar, and threat intelligence, Reza dedicates his work to bolster digital defenses and promote cyber awareness.

You May Also Like

More From Author

+ There are no comments

Add yours