DarkSide extracts $4.4m ransom from German chemical distribution company

Earlier this week, when the DarkSide ransomware group forced U.S. pipeline giant Colonial Pipeline to pay $5 million in ransom to restore operations, it also extracted a ransom payment of $4.4 million in Bitcoin from Brenntag, a German chemical distribution company.

According to Bleeping Computer, Brenntag had no choice but to pay the ransom after the ransomware group targeted the company's North American division, encrypted corporate devices, and stole up to 150GB of data, including unencrypted files. The group reportedly gained access to the Brenntag North America network after purchasing stolen credentials from another entity.

Headquartered in Essen, Germany, Brenntag is among the world's largest chemical distribution companies, operating in 77 countries and employing over 17,000 people. The company has more than 190 distribution sites in the United States and Canada and boasts around 40,000 customers in the region. It is also the market leader in Latin America and earned a revenue of €12.8 billion in 2019.

After encrypting the company's devices and files, the DarkSide ransomware group demanded a ransom of 133.65 Bitcoin (£4.58 million) but after protracted negotiations with the company, finally accepted the payment of £3.12 million on May 11. The company has, like in most cases, failed to disclose the incident on its customer-facing sites.

The incident is a textbook case of why it is necessary for organisations to continuously protect user credentials, reset credentials regularly, and implement multi-factor authentication to protect devices and user accounts from unauthorised access. The fact that a ransomware group used stolen credentials to hack into a global corporation's network so easily demonstrates that credential management is still not being prioritised by organisations. Brenntag North America has learned the lesson the hard way.

What's worse is that even cybersecurity companies have suffered breaches as a result of not being able to detect the theft of user credentials. In 2019, Czech antivirus service provider Avast admitted that hackers used stolen VPN credentials and exploited the lack of two-factor authentication to successfully access its internal network on seven occasions between May 14 and September 23 that year.

The affected VPN account enjoyed domain admin privileges even though the user whose credentials were being used did not have domain admin privileges. The firm found that the hacker, who stole the credentials, carried out a successful privilege escalation while using a public IP hosted out of the UK.

In November 2019, a study conducted by ImmuniWeb revealed that hackers plundered over 21 million login credentials from Fortune 500 companies and over 16 million of them were stolen and posted on Dark Web platforms in a twelve-month period. 95% of the 21 million stolen credentials were "unencrypted, or brute-forced and cracked by the attackers, plaintext passwords".

The study also revealed that only 4.9 million of the 21 million stolen credentials were unique, indicating that the widespread practice of employees using identical or similar passwords is still in place at the world's largest organisations.

All these stolen login credentials belonging to Fortune 500 companies were found pasted on resources within the TOR network, across various web forums, Pastebin, IRC channels, social networks, messenger chats and many other locations notorious for offering, selling or distributing stolen or leaked data," ImmuniWeb said.

"These numbers are both frustrating and alarming. The great wealth of stolen credentials accessible on the Dark Web is a modern-day Klondike for mushrooming threat actors who don’t even need to invest in expensive zero-day or time-consuming APTs. With some persistence, they easily break-in being unnoticed by security systems and grab what they want. Worse, many such intrusions are technically uninvestigable due to lack of logs or control over the breached [third-party] systems," said Ilia Kolochenko, CEO and Founder of ImmuniWeb.

"In the era of cloud, containers and continuous outsourcing of critical business processes, most organizations have lost visibility and thus control over their digital assets and data. You cannot protect what you don’t see, likewise you cannot safeguard the data if you don’t know where it’s being stored and who can access it. Third-party risks immensely exacerbate the situation by adding even more perilous unknowns into the game.

"A well-thought, coherent and holistic cyber security and risk management programme should encompass not just your organisation but third parties in a continuous and data-driven manner," he added.