The _secpro team opened their ears to the _secpro readership and you have all been heard! In last week’s survey, the _secpro community decided that they wanted a deep dive into the ten worst ransomware attacks that took place in 2021. That’s why we have focused all our energy into reviewing what happened in that year of instability and put together the ten worst attacks that companies all around the world were dealing with.
First things first – discussing the absolute worst ransomware is always a little speculative. For legal reasons or to avoid embarrassment, companies don’t always release the useful figures for these kinds of breakdowns. In America, it has been illegal to pay a ransom since an OFAC ruling. Similarly, companies dealing with sensitive information don’t want to tell their clients that they have lost terabytes upon terabytes of data. With that in mind, we’ve put together a list of ten ransomware attacks which considers the following three criteria.
- The ransom that was requested.
- The ransom that was paid.
- The size of the data leak.
We haven’t been able to find reliable figures for all of these criteria, however. Sometimes we have had to rely on a fourth – the editor’s gut feeling. With that in mind, we look forward to hearing how much you disagree with the choices we have made and look forward to being proven incorrect as our list unfolds!
Worst Ransomware #10 – Brenntag
Cast your mind back to April 2021 – you might remember an attack on a German company that you had never heard of before. This is where we start our journey into the criminal world of ransomware – with Brenntag, a chemical and ingredients distributor in Berlin.
Investigations into the attack showed that the DarkSide ransomware operators were behind the lockdown and leak. As was expected of the ransomware-as-a-service (RaaS) operators, a paying affilitate to the DarkSide program gained access through stolen credentials. Further investigation into this key failing has shown that these credentials were actually purchased from a third-party initial access broker.
Having bought the stolen credentials, the attacker used DarkSide’s standard offering to encrypt the systems of the German company and steal up to an unconfirmed 150GB of data. The company was forced to release this statement shortly after the attack on April 26:
“Our investigation confirmed that Brenntag systems were accessed without authorization starting on April 26, 2021, and/or that some information was taken from our system [including] social security number, date of birth, driver’s license number, and select medical information.”
Pretty bad news for the Brenntag security team, to say the least. Not content with spreading their worry about chief financial officers through word of mouth, the attackers also leaked snippets of private data through a leak page. Along with what the Brenntag team were willing to share in the press conference, there were also financial details, accounting records, contracts, NDA information, marketing projects, legal documents, and chemical formulas contained within the stolen data. Not so much pretty bad news as terrible news.
According to an unnamed third-party forensic investigation team, none of this highly sensitive and highly lucrative data actually made it onto the black market. Why? Well, there’s a rather simple and extremely expensive explanation for that…
What was the ransom?
Having requested payment of 133.65 BTC (equivalent to $7.5 million or €6.2 million at the time of the attack), the Brenntag negotiators were eventually forced to hand over $4.4 million to the DarkSide affiliate in May the same year. In combination with a range of other attacks using the RaaS, such as Discount Car and Truck Rentals, Brookfield Residential, Eletrobras, and Copel, these attacks were living very comfortably on their ill-gotten gains.
What happened to the attackers?
Although we would like to deliver a happy ending to you, it seems like there may never be one for this story. The DarkSide team came under significant pressure when the attacks started to ramp up on American soil. Even US President Joe Biden publicly weighed in on the topic, saying that the American government would “disrupt their ability to operate”. Of course, they never had a chance to disrupt anything, because DarkSide vanished.
Understanding that the net might have been closing on their operations, the team behind DarkSide shut up shop in May 2021. This made the Brenntag attack (and another significant attack that may make it onto our ten worst ransomware attacks list) their most significant and final attack altogether. Predictably, the gang closed their affiliate program “due to the pressure from the US”. Of course, cybersecurity professionals weren’t born yesterday – it’s likely that the DarkSide team is now either operating under a new name or has splintered into many different faction groups. Never assume that the adversary has gone away – the paranoid dogma at the center of the security professional’s life!
And that’s all for this week! Thank you very much for tuning in. Tell us what you thought about our newsletter in the survey attached and win a chance to get a free Packt eBook of your choice. That’s all for now – see you next week!