Chemical distribution company Brenntag paid a $4.4 million ransom in Bitcoin to the DarkSide ransomware gang to receive a decryptor after a the criminal gang encrypted the company’s files. Brenntag is a world-leading chemical distribution company headquartered in Germany but with over 17,000 employees worldwide at over 670 sites. According to the ICS Top 100 Chemical Distributors report, Brenntag is the second largest in sales for North America. In May, Brenntag suffered a ransomware attack that targeted their North American division, encrypted some files and stole unencrypted files. The DarkSide ransomware gang claims to have stolen 150GB worth of data. To prove their claims, DarkSide created a private data leak page containing a description of the types of data stolen and screenshots of some of the files. DarkSide initially demanded a 133.65 Bitcoin ransom, valued at approximately $7.5 million USD at the time. However, after negotiations, the ransom demand was decreased to $4.4 million, which was paid three days ago. Yesterday, Brenntag shared a statement confirming that they suffered a security incident but did not outright state it was a ransomware attack. “Brenntag North America is currently working to resolve a limited information security incident,” As soon as we learned of this incident, we disconnected affected systems from the network to contain the threat. In addition, third-party cybersecurity and forensic experts were immediately engaged to help investigate. We also informed law enforcement of this incident.” DarkSide is a Ransomware-as-a-Service (RaaS) operation, which is when the ransomware developers partner with third-party affiliates, or hackers, who are responsible for gaining access to a network and encrypting devices. As part of this arrangement, the core DarkSide team earns 20-30% of a ransom payment, and the rest goes to the affiliate who conducted the attack. One of the conditions for most ransomware negotiations is that the affiliate discloses how they gained access to a victim’s network. This could come in the form of a multi-page “security audit” report or simply a simple paragraph in the Tor chat screen explaining how they gained access. In this case, the DarkSide affiliate claims to have gotten access to the network after purchasing stolen credentials. However, the DarkSide affiliate does not know how the credentials were originally obtained.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased