Cyber Incident Victim: Brenntag
Date:
May 2021
Location:
United States of America
Summary
Brenntag suffered a ransomware attack by the DarkSide group targeting its North American division, resulting in encrypted systems and theft of 150GB of data. The attackers initially demanded approximately $7.5 million but accepted a negotiated $4.4 million ransom paid in Bitcoin to provide a decryptor and prevent public data leaks. The company confirmed a security incident, disconnected affected systems, engaged cybersecurity experts, and notified law enforcement, though it did not explicitly acknowledge the ransomware nature of the attack.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early May 2021, Brenntag’s North America division experienced a ransomware attack attributed to the DarkSide cybercriminal group. The attackers encrypted devices on the compromised network and exfiltrated approximately 150GB of unencrypted files, which included sensitive corporate data. DarkSide established a private data leak page containing descriptions of the stolen information and screenshots of files as proof of the breach. The group initially demanded a ransom of 133.65 Bitcoin, equivalent to roughly $7.5 million at the time, threatening to publicly release the stolen data unless paid. Brenntag engaged in negotiations with the attackers, resulting in a reduced demand of $4.4 million. On May 11, 2021, Brenntag transferred the payment in Bitcoin to a wallet address provided by DarkSide, as confirmed by blockchain transaction records. The company acknowledged a "limited information security incident" in a public statement but did not explicitly confirm it as a ransomware attack. Brenntag emphasized that affected systems were disconnected from the network upon detection to contain the threat.
The incident disrupted operations in Brenntag’s North American division, though the company did not disclose specific downtime durations or operational impacts. Third-party cybersecurity and forensic experts were engaged immediately to investigate the breach, and law enforcement agencies were notified. DarkSide’s affiliate likely gained initial access through compromised credentials, a common tactic among ransomware groups, which often acquire stolen Remote Desktop Protocol (RDP) credentials from dark web marketplaces. The breach underscored the risks associated with unprotected network access points, though Brenntag did not publicly confirm the exact intrusion vector. The payment secured a decryptor for the encrypted systems and aimed to prevent the publication of stolen data on DarkSide’s leak site. Brenntag’s response prioritized containment, investigation, and collaboration with external specialists, reflecting standard incident response protocols for ransomware scenarios.