The world’s leading chemical distribution company Brenntag has shared additional information on what data was stolen from its network by DarkSide ransomware operators during an attack in late April 2021 that targeted its North American division.
Brenntag is the second largest in sales for North America, according to the ICIS Report on the Top 100 Chemical Distributors Worldwide.
The chemical distribution company is based in Germany and has more than 17,000 employees worldwide at more than 670 sites.
Stolen information includes SSN, medical information, more
Brenntag confirmed the ransomware attack in an email statement sent to Bleeping Computer on May 13, saying that it disconnected all affected systems from the network after the incident was found to contain the threat.
However, as revealed in data breach notification letters Sent to affected people in late June, the chemical distribution company learned of the attack on April 28, two days after DarkSide operators breached its network.
“Our investigation confirmed that Brenntag’s systems were accessed without authorization as of April 26, 2021 and / or that some information was taken from our system,” the company said.
The data extracted by the DarkSide attackers includes “social security number, date of birth, driver’s license number, and selected medical information.”
Fortunately, as Brenntag explained in more detail, third-party cybersecurity forensic experts hired to investigate the incident found no evidence that the stolen information was misused for fraudulent purposes.
The company also asked affected individuals (more than 6,700 according to information provided to the Maine Attorney General) to review their bank statements and monitor their free credit reports for any attempted identity theft and fraud.
“If you find a transaction that you do not recognize, contact the company or institution issuing the statement,” added Brenntag.
$ 4.4 million ransom paid to DarkSide
As Bleeping Computer reported in May, the chemical distributor paid a $ 4.4 million ransom to DarkSide for a decryptor and to prevent the ransomware gang from leaking the stolen data.
The ransom was traded for 133.65 bitcoins (roughly $ 7.5 million at the time), and Brenntag sent the $ 4.4 million to the attackers on May 11, as BleepingComputer was able to confirm.
After the attack, the DarkSide ransomware group claimed to have exfiltrated 150 GB of data while accessing Brenntag’s systems.
As proof of their claims, the threat actors also created a private data leak page with a description of the types of data stolen and screenshots of some of the files.
The DarkSide affiliate who breached Brenntag’s systems claimed to have gained access to the network using stolen credentials purchased from an unknown source.
This aligns with similar tactics employed by other ransomware gangs that regularly buy stolen credentials (including remote desktop credentials) in the dark web marketplace.
BleepingComputer reported in April that threat actors used UAS, one of the largest RDP markets, to sell more than 1.3 million stolen credentials since the end of 2018.
The Darkside ransomware gang has been active since August 2020 with a focus on corporate networks and asking for millions of dollars for decryptors and a promise not to disclose stolen data.
The ransomware group landed in the crosshairs of the US government and law enforcement after attacking Colonial Pipeline, the largest fuel pipeline in the US.
Following increased scrutiny by law enforcement, DarkSide decided to suddenly shut down in May for fear of arrest.
DarkSide affected other organizations in the past, including Discount Car and Truck Rentals, Brookfield Residential, and the energy companies Eletrobras and Copel of Brazil.