Colonial Pipeline and Brenntag Pay Ransoms to DarkSide Ransomware Gang

The DarkSide ransomware attack on Colonial Pipeline that disrupted fuel supplies to the East Coast for almost a week and triggering a spike in fuel prices has now been resolved, but only after a ransom of around $5 million was paid to the attackers for the keys to unlock encrypted files.

The attack started on Friday May 7, with Colonial Pipeline taking the decision to shut down its systems to contain the attack which also required the shutdown of its four fuel pipelines that provided 45% of the East Coast’s fuel. The pipeline remained shut down for 5 days while the attack was remediated.

Initially, the company announced that it would not be giving in to the attacker’s demand for payment, but later backtracked and paid approximately the ransom in cryptocurrency to speed up the recovery process and get fuel flowing again to the East Coast. However, even with the decryption tool, recovery was slow and due to the speed at which encrypted files were restored using the DarkSide tool, data still had to be recovered from backups during the recovery process. All operational technology was restored and brought back online by May 13.

This is far from the only major ransomware attack performed by the DarkSide gang in recent weeks. Ransomware attacks have been conducted in 12 countries on companies in a range of industry sectors. One of the most recent was at the start of May, when the gang attacked the North American division of the German chemical distribution company Brenntag. Brenntag is the second largest chemical distributor in the United States in terms of sales.

According to a recent Bleeping Computer report, the DarkSide ransomware gang stole around 150GB of data from the firm and threatened to publicly release the information if the ransom was not paid. It is unclear whether it was the threat of publication of stolen data or the need to recover systems and data quickly that was the driving factor behind the decision to pay the ransom which, following negotiations, was reduced from around $7.5 million to approximately $4.4 million.

DarkSide is a ransomware-as-a-service (RaaS) operation that recruits affiliates to conduct ransomware attacks in exchange for a cut of any profits generated. The RaaS operators earn around 20-30% of any ransom payments generated, with the affiliates keeping the remainder. Several methods are used by affiliates to gain access to networks, including the exploitation of vulnerabilities, phishing attacks, or the use of stolen credentials.

The method used to gain access to Colonial Pipeline’s systems is unclear; however, the affiliate responsible for the attack on Brenntag claims to have purchased stolen credentials and used them to gain access to Brenntag’s network. The affiliate was unaware how the credentials were initially obtained. The affiliate suggested Brenntag should have used more powerful antivirus solutions and should have implemented multifactor authentication, with the latter most likely sufficient to prevent the use of stolen credentials in the attack.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of