In the aftermath of a major ransomware incident that disrupted operations worldwide, Johnson Controls is now formally notifying individuals whose personal data was stolen during the breach.
Enterprise Giant Confirms Long-Duration Breach and Ongoing Notification Efforts
Johnson Controls, a global leader in building automation and industrial control systems, has started notifying affected individuals of a ransomware breach that severely impacted its global operations in September 2023. The company, which operates across 150 countries and reported $27.4 billion in revenue for 2024, confirmed that threat actors had unauthorized access to its systems for nearly eight months—starting from February 1 to September 30, 2023.
The breach was first reported in September 2023 and has now led to formal disclosure to victims via data breach notification letters, filed with regulators including California’s Attorney General. While the company redacted specific details of the stolen data, the timeline of events reveals a sophisticated, prolonged attack.
“Based on our investigation, we determined that an unauthorized actor accessed certain Johnson Controls systems… and took information from those systems,” the company stated in its filing.
Multi-Stage Intrusion Originated from Asian Offices
The compromise began in early 2023, reportedly through Johnson Controls’ Asian offices. After initial access, the attackers moved laterally within the network, eventually deploying ransomware and exfiltrating data. The attack culminated in September, forcing the company to shut down major segments of its IT infrastructure.
Systems encrypted during the attack included VMware ESXi virtual machines, which are critical for enterprise operations. Customer-facing systems were also affected, leading to global service disruptions.
Attack Linked to Dark Angels Ransomware Group
Although Johnson Controls did not publicly name the threat actor responsible, evidence suggests the ransomware group Dark Angels was behind the incident. A sample of a VMware ESXi encryptor linked to Dark Angels, found during the investigation, bore direct references to Johnson Controls.
Security researchers and internal sources revealed that the ransomware group left a negotiation portal where they demanded a $51 million ransom in exchange for a decryptor and deletion of the stolen data. The attackers claimed to have exfiltrated over 27 terabytes of corporate data.
“After becoming aware of the incident, we terminated the unauthorized actor’s access… engaged third-party cybersecurity specialists… and notified law enforcement,” the company wrote.
Growing Impact and Mounting Recovery Costs
In a January 2024 SEC filing, Johnson Controls disclosed that the company had already incurred $27 million in costs related to incident response and remediation. However, this figure is expected to increase as recovery efforts continue.
The cybercriminals reportedly used a Linux-based encryptor that resembled those used in Ragnar Locker attacks since 2021, further complicating attribution and indicating code sharing or reuse between groups.
Dark Angels is known for its double extortion tactics—stealing sensitive data before encrypting systems and pressuring victims by threatening to publish stolen files on its dark web leak site Dunghill Leaks. The group leverages tools based on leaked Babuk ransomware source code, targeting Windows and VMware environments alike.
Strategic Recovery Now Essential for Enterprises
The Johnson Controls breach is a reminder of how deeply ransomware attacks can impact enterprise-scale organizations—disrupting operations, exposing sensitive data, and generating steep remediation costs. With more ransomware groups now targeting virtual environments and deploying stealthier tactics, organizations need robust defense strategies to withstand similar events.
This is where air-gapped, immutable backup and recovery becomes crucial. In cases like Johnson Controls, having an unbreachable backup environment can ensure fast operational recovery and data integrity even when systems are encrypted.
Looking for a trusted recovery solution?
Defend your organization with StoneFly DR365—an air-gapped, immutable backup and recovery appliance trusted by enterprises to ensure zero data loss even in the event of complex cyberattacks.
