{ "id": "902562e1-97cf-41e9-964d-3bec141a90db", "created_at": "2026-04-06T00:19:46.792349Z", "updated_at": "2026-04-10T03:20:05.991903Z", "deleted_at": null, "sha1_hash": "d5816da9aaf273abe5791d2bca2aefad2e6b9d7f", "title": "Chemical distributor pays $4.4 million to DarkSide ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2328890, "plain_text": "Chemical distributor pays $4.4 million to DarkSide ransomware\r\nBy Lawrence Abrams\r\nPublished: 2021-05-13 · Archived: 2026-04-05 22:53:25 UTC\r\nChemical distribution company Brenntag paid a $4.4 million ransom in Bitcoin to the DarkSide ransomware gang to receive\r\na decryptor for encrypted files and prevent the threat actors from publicly leaking stolen data.\r\nBrenntag is a world-leading chemical distribution company headquartered in Germany but with over 17,000 employees\r\nworldwide at over 670 sites.\r\nAccording to the ICS Top 100 Chemical Distributors report, Brenntag is the second largest in sales for North America.\r\nhttps://www.bleepingcomputer.com/news/security/chemical-distributor-pays-44-million-to-darkside-ransomware/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/chemical-distributor-pays-44-million-to-darkside-ransomware/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nBrenntag confirms cyberattack\r\nAt the beginning of May, Brenntag suffered a ransomware attack that targeted their North America division. As part of this\r\nattack, the threat actors encrypted devices on the network and stole unencrypted files.\r\nFrom the information shared with BleepingComputer by an anonymous source, the DarkSide ransomware group claimed to\r\nhave stolen 150GB of data during their attack.\r\nTo prove their claims, the ransomware gang created a private data leak page containing a description of the types of data that\r\nwere stolen and screenshots of some of the files.\r\nPrivate data leak page sent to Brenntag\r\nDarkSide initially demanded a 133.65 Bitcoin ransom, valued at approximately $7.5 million at the time. However, after\r\nnegotiations, BleepingComputer was told that the ransom demand was decreased to $4.4 million, which was paid two days\r\nago.\r\nFrom the bitcoin address shared with BleepingComputer, we confirmed that Brenntag sent the ransom to the attackers on\r\nMay 11th.\r\nToday, Brenntag shared a statement with BleepingComputer confirming that they suffered a security incident but did not\r\noutright state it was a ransomware attack.\r\n\"Brenntag North America is currently working to resolve a limited information security incident,\" Brenntag told\r\nBleepingComputer.\r\n\"As soon as we learned of this incident, we disconnected affected systems from the network to contain the threat.\"\r\n\"In addition, third-party cybersecurity and forensic experts were immediately engaged to help investigate. We also informed\r\nlaw enforcement of this incident.\"\r\nGained access through stolen credentials\r\nDarkSide is a Ransomware-as-a-Service (RaaS) operation, which is when the ransomware developers partner with third-party affiliates, or hackers, who are responsible for gaining access to a network and encrypting devices.\r\nAs part of this arrangement, the core DarkSide team earns 20-30% of a ransom payment, and the rest goes to the affiliate\r\nwho conducted the attack.\r\nhttps://www.bleepingcomputer.com/news/security/chemical-distributor-pays-44-million-to-darkside-ransomware/\r\nPage 3 of 5\n\nOne of the conditions for most ransomware negotiations is that the affiliate discloses how they gained access to a victim's\r\nnetwork. This could come in the form of a multi-page security audit report or simply a simple paragraph in the Tor chat\r\nscreen explaining how they gained access.\r\nIn this particular case, the DarkSide affiliate claims to have gotten access to the network after purchasing stolen credentials.\r\nHowever, the DarkSide affiliate does not know how the credentials were originally obtained.\r\nDarkSide says they purchase credentials for the network\r\nRansomware gangs and other threat actors commonly use dark web marketplace to purchase stolen credentials, especially\r\nthose for Remote Desktop credentials.\r\nLast month, BleepingComputer reported how one of the largest RDP marketplaces, UAS, suffered a breach showing that\r\nover the past three years they had access to 1.3 million stolen credentials.\r\nWhile this was an expensive lesson, and unfortunately all-too-common, the attack illustrates the importance of enforcing\r\nmulti-factor authentication for all logins on a network and putting all Remote Desktop servers behind a VPN.\r\nIf MFA was enabled for account logins, it is unlikely that the DarkSide affiliate would have gained access to the network.\r\nhttps://www.bleepingcomputer.com/news/security/chemical-distributor-pays-44-million-to-darkside-ransomware/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/chemical-distributor-pays-44-million-to-darkside-ransomware/\r\nhttps://www.bleepingcomputer.com/news/security/chemical-distributor-pays-44-million-to-darkside-ransomware/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/chemical-distributor-pays-44-million-to-darkside-ransomware/" ], "report_names": [ "chemical-distributor-pays-44-million-to-darkside-ransomware" ], "threat_actors": [], "ts_created_at": 1775434786, "ts_updated_at": 1775791205, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d5816da9aaf273abe5791d2bca2aefad2e6b9d7f.pdf", "text": "https://archive.orkl.eu/d5816da9aaf273abe5791d2bca2aefad2e6b9d7f.txt", "img": "https://archive.orkl.eu/d5816da9aaf273abe5791d2bca2aefad2e6b9d7f.jpg" } }