New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Chemical Supplier Pays $4.4 Million To DarkSide Ransomware

Chemical distribution company Brenntag paid a $4.4 million ransom in Bitcoin to the DarkSide ransomware gang to receive a decryptor after a the criminal gang encrypted the company’s files. Brenntag is a world-leading chemical distribution company headquartered in Germany but with over 17,000 employees worldwide at over 670 sites. According to the ICS Top 100 Chemical Distributors report, Brenntag is the second largest in sales for North America. In May, Brenntag suffered a ransomware attack that targeted their North American division, encrypted some files and stole unencrypted files. The DarkSide ransomware gang claims to have stolen 150GB worth of data. To prove their claims, DarkSide created a private data leak page containing a description of the types of data stolen and screenshots of some of the files. DarkSide initially demanded a 133.65 Bitcoin ransom, valued at approximately $7.5 million USD at the time. However, after negotiations, the ransom demand was decreased to $4.4 million, which was paid three days ago. Yesterday, Brenntag shared a statement confirming that they suffered a security incident but did not outright state it was a ransomware attack. “Brenntag North America is currently working to resolve a limited information security incident,” As soon as we learned of this incident, we disconnected affected systems from the network to contain the threat. In addition, third-party cybersecurity and forensic experts were immediately engaged to help investigate. We also informed law enforcement of this incident.” DarkSide is a Ransomware-as-a-Service (RaaS) operation, which is when the ransomware developers partner with third-party affiliates, or hackers, who are responsible for gaining access to a network and encrypting devices. As part of this arrangement, the core DarkSide team earns 20-30% of a ransom payment, and the rest goes to the affiliate who conducted the attack. One of the conditions for most ransomware negotiations is that the affiliate discloses how they gained access to a victim’s network. This could come in the form of a multi-page “security audit” report or simply a simple paragraph in the Tor chat screen explaining how they gained access. In this case, the DarkSide affiliate claims to have gotten access to the network after purchasing stolen credentials. However, the DarkSide affiliate does not know how the credentials were originally obtained.

Analyst Notes

This attack illustrates the need for enforcing multi-factor authentication for all logins on an organization’s network and placing all Remote Desktop servers behind a VPN. If MFA was enabled, it is likely that the attackers would not have been able to gain access to Brenntag’s network. It is also imperative that if a user’s login credentials are found to have been stolen, that their password should be revoked and the employee needs to make a new one that is completely different from other passwords used. The Binary Defense Counterintelligence service monitors criminal forums and leaked credential dumps on behalf of clients to notify them when employees passwords have been stolen so that they can be changed.


Source Article: