Brenntag SE, a German chemical distribution company operating in more than 77 countries around the world, suffered a DarkSide Ransomware attack that led to the organization paying a $4.4 million ransom in Bitcoin.

Following the ransom payment, Brenntag obtained a decryptor for encrypted files and successfully stopped the cybercriminals from making the company’s stolen information public.

DarkSide Ransomware operates under the form of a Ransomware-as-a-Service (RaaS), in which the gains are shared between its holders and partners, or affiliates, who allow entry to companies and execute the ransomware. The DarkSide ransomware gang gets around 25% of a ransom payment, and the rest is taken by the affiliate who organized the assault.

Usually, in a ransomware negotiation, the affiliate has to reveal how they acquired access to the victim’s data. This can be done in the form of a multi-page security audit report or just a paragraph in the Tor chat screen describing how they obtained access.

In Brenntag’s case, the DarkSide affiliate said they have obtained access to the network after purchasing stolen information, but didn’t know how the credentials were obtained, to begin with.


As part of the ransomware attack, the German organization experienced at the beginning of this month, the hackers encrypted devices on the network and stole unencrypted files.

According to Bleeping Computer, the Darkside ransomware attackers claimed to have stolen 150GB of data when the attack occurred.

In order to prove it, the cyber criminals created a private data leak page that included a representation of the types of information that were stolen and screenshots of some of the files.


Bleeping Computer has confirmed that after negotiation the chemical distribution enterprise paid the requested ransom on May 11, but is important to say that the DarkSide ransomware hackers demanded a $7.5 million ransom at first.

Brenntag North America is currently working to resolve a limited information security incident. As soon as we learned of this incident, we disconnected affected systems from the network to contain the threat.

In addition, third-party cybersecurity and forensic experts were immediately engaged to help investigate. We also informed law enforcement of this incident.


It’s a common practice among all sorts of cybercriminals to use the dark web marketplace to buy stolen data, especially those for Remote Desktop Protocol (RDP). In April, the UAS attack demonstrated that in the last three years they could access 1.3 million stolen login names and passwords.

This incident shows how implementing multi-factor authentication for all logins on a network and placing all Remote Desktop servers behind a VPN is a must in order to protect you and your organization.

Heimdal Official Logo
Neutralize ransomware before it can hit.

Heimdal™ Ransomware Encryption Protection

Specifically engineered to counter the number one security risk to any business – ransomware.
  • Blocks any unauthorized encryption attempts;
  • Detects ransomware regardless of signature;
  • Universal compatibility with any cybersecurity solution;
  • Full audit trail with stunning graphics;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

DarkSide Ransomware 101

DarkSide Ransomware Shifts Blame for Colonial Pipeline Attack

1.3 Million RDP Server Logins Collected from Hacker Market

Leave a Reply

Your email address will not be published. Required fields are marked *