{
	"id": "039f54f0-00df-4949-a90f-24599a6b2daa",
	"created_at": "2026-04-06T00:15:46.970274Z",
	"updated_at": "2026-04-10T13:11:50.053827Z",
	"deleted_at": null,
	"sha1_hash": "78f2734d592746371883d040bb6ccee999b5ac95",
	"title": "US chemical distributor shares info on DarkSide ransomware data theft",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2189760,
	"plain_text": "US chemical distributor shares info on DarkSide ransomware data theft\r\nBy Sergiu Gatlan\r\nPublished: 2021-07-03 · Archived: 2026-04-05 14:50:10 UTC\r\nWorld-leading chemical distribution company Brenntag has shared additional info on what data was stolen from its network\r\nby DarkSide ransomware operators during an attack from late April 2021 that targeted its North America division.\r\nBrenntag is the second largest in sales for North America, according to the ICIS report on the Top 100 Chemical Distributors\r\nworldwide.\r\nThe chemical distribution company is headquartered in Germany and has more than 17,000 employees worldwide at over\r\n670 sites.\r\nhttps://www.bleepingcomputer.com/news/security/us-chemical-distributor-shares-info-on-darkside-ransomware-data-theft/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/us-chemical-distributor-shares-info-on-darkside-ransomware-data-theft/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nStolen info includes SSNs, medical info, more\r\nBrenntag confirmed the ransomware attack in an email statement sent to BleepingComputer on May 13, saying that\r\nit disconnected all impacted systems from the network after the incident was discovered to contain the threat.\r\nHowever, as revealed in data breach notification letters sent to affected individuals during late June, the chemical\r\ndistribution firm became aware of the attack on April 28, two days after the DarkSide operators breached its network.\r\n\"Our investigation confirmed that Brenntag systems were accessed without authorization starting on April 26, 2021, and/or\r\nthat some information was taken from our system,\" the company said.\r\nThe data exfiltrated by the DarkSide attackers includes \"social  security  number,  date  of  birth,  driver's license number,\r\nand select medical information.\"\r\nLuckily, as Brenntag further explained, third-party cybersecurity forensic experts hired to investigate the incident found no\r\nevidence that the stolen information was misused for fraudulent purposes.\r\nThe company also asked the impacted individuals (more than 6700 according to info provided to Maine's Attorney General)\r\nto review their account statements and keep an eye on their free credit reports to detect any attempts of identity theft and\r\nfraud.\r\n\"If you find any transactions you do not recognize, contact the business or institution issuing the statement,\" Brenntag\r\nadded.\r\n$4.4 million ransom paid to DarkSide\r\nAs BleepingComputer reported in May, the chemical distributor company paid a $4.4 million ransom to DarkSide for a\r\ndecryptor and to prevent the ransomware gang from leaking the stolen data.\r\nThe ransom was negotiated down from 133.65 bitcoins (roughly $7.5 million at the time), with Brenntag having sent the\r\n$4.4 million to the attackers on May 11, as BleepingComputer was able to confirm.\r\nAfter the attack, the DarkSide ransomware group claimed to have exfiltrated150GB of data while they had access to\r\nBrenntag's systems.\r\nAs proof of their claims, the threat actors also created a private data leak page with a description of the types of stolen\r\ndata and screenshots of some of the files.\r\nPrivate data leak page sent to Brenntag\r\nhttps://www.bleepingcomputer.com/news/security/us-chemical-distributor-shares-info-on-darkside-ransomware-data-theft/\r\nPage 3 of 4\n\nThe DarkSide affiliate who breached Brenntag's systems claimed to have gotten access to the network using stolen\r\ncredentials bought from an unknown source.\r\nThis aligns with similar tactics employed by other ransomware gangs who regularly purchase stolen credentials (including\r\nRemote Desktop credentials) from dark web marketplace.\r\nBleepingComputer reported in April that threat actors used UAS, one of the largest RDP marketplaces, to sell more than 1.3\r\nmillion stolen credentials since the end of 2018.\r\nThe Darkside ransomware gang has been active since August 2020 with a focus on corporate networks and asking millions\r\nof dollars for decryptors and the promise not to release stolen data.\r\nThe ransomware group landed in the crosshairs of the US government and law enforcement after hitting Colonial Pipeline,\r\nthe largest fuel pipeline in the US.\r\nFollowing heightened scrutiny from law enforcement, DarkSide decided to suddenly shut down in May out of fear of being\r\narrested.\r\nDarkSide hit other organizations in the past, including Discount Car and Truck Rentals, Brookfield Residential,\r\nand Brazil's Eletrobras and Copel energy companies.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/us-chemical-distributor-shares-info-on-darkside-ransomware-data-theft/\r\nhttps://www.bleepingcomputer.com/news/security/us-chemical-distributor-shares-info-on-darkside-ransomware-data-theft/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/us-chemical-distributor-shares-info-on-darkside-ransomware-data-theft/"
	],
	"report_names": [
		"us-chemical-distributor-shares-info-on-darkside-ransomware-data-theft"
	],
	"threat_actors": [],
	"ts_created_at": 1775434546,
	"ts_updated_at": 1775826710,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/78f2734d592746371883d040bb6ccee999b5ac95.pdf",
		"text": "https://archive.orkl.eu/78f2734d592746371883d040bb6ccee999b5ac95.txt",
		"img": "https://archive.orkl.eu/78f2734d592746371883d040bb6ccee999b5ac95.jpg"
	}
}