Ransomware Attack on Johnson Controls Takes Down Its Subsidiaries

PK Tech Blog Image (4)

Building automation giant Johnson Controls was recently hit by a ransomware attack that encrypted many of its company devices (reference). Affected devices included VMware ESXi servers and significantly impacted the company’s and its subsidiaries’ operations.

Johnson Controls is known for industrial manufacturing of security equipment, control systems, fire safety equipment, and air conditioners. As a multinational conglomerate developer and manufacturer, they were a big target for the ransomware gang –” big,” meaning broad scope, large employee count, and many subsidiaries.

While attacks on healthcare and financial corporations typically steal the headlines, let’s dig into the effects when a manufacturing giant takes the hit and best practices for managing whole enterprise IT security, including subsidiaries, for large corporations. 

Why Was Johnson Controls Targeted? 

Ransomware groups love to go after organizations with significant employee counts. Why? More data, more sensitive data, and more targets. Johnson Controls reportedly employs over 100,000 people.

Second, Johnson Controls is an ideal target with several big-name subsidiaries, including Luxaire, Ruskin, Coleman, York, Simplex, and Grinnel. More subsidiaries equals more attack surface area and more data to steal. 

After the initial attack, several subsidiaries also started reporting technical outages. 

The ransomware gang reports to have stolen over 27 TB of corporate data and encrypted the company’s VMWare ESXi virtual machines, in addition to demanding $51 million to return stolen data. 

In the Johnson Controls attack, we see a new and disturbing tactic by extortionists: attacking via remote (Asian) offices on the weekend. Most frequently, ransomware groups will strike on weekdays when businesses are in the full swing of operations. An attack on the weekend via a remote office poses interesting questions about weekend monitoring. Did the ransomware group perhaps target Johnson Controls via a remote office  on the weekend in an effort to avoid detection? 

Cybersecurity Protection for Subsidiaries 

Whether your organization has one or 1,000 subsidiaries, you should ensure that your team is using best practices for whole enterprise security risk management. Your subsidiaries are a part of your threat landscape and should be considered when crafting a proactive cybersecurity plan for your organization. 

A key challenge for holding companies, multinational corporations, and other conglomerates is monitoring the IT security risk of their subsidiaries. Subsidiary IT environments contain assets and networks you don’t manage but can nevertheless put your organization at risk, and are at turn at risk from incidents in the holding company. As you look at the whole picture of your enterprise security, be sure that you consider subsidiary risk as a piece to the puzzle.

From Johnson Controls failures, we can learn from their mistakes by following best practices for whole enterprise cybersecurity evaluation and monitoring, including the added risk of subsidiaries, when relevant.  

  1. Assess Subsidiary Risks – fully assess all subsidiaries and weak cybersecurity points.
  2. Measure Your Security Posture – dig into every aspect of your organization’s cybersecurity–including that of subsidiaries–and address critical security points. Is it up to par with your own organization’s security posture?
  3. Eliminate Critical Risks – provide your internal IT team and that of your subsidiaries with a list of critical risks and require immediate attention to items on the list – then monitor the progress closely.
  4. Monitor Continuously – continuously manage and monitor your whole enterprise security, including remote offices and  that of any existing subsidiaries as they relate to the overall cybersecurity health of your organization. 

Managed IT Services Phoenix 

Whether you are a single-location small business or a large corporation with one or more subsidiaries, PK Tech is here to provide personalized cybersecurity services to your business. We assess your current security posture and prevention plan, then make recommendations and assist in implementation. 

Schedule a free 15-minute chat with a member of the PK Tech team today.