DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks | CISA
webCredibility Rating
4/5
High(4)High quality. Established institution or organization with editorial oversight and accountability.
Rating inherited from publication venue: CISA
This CISA/FBI advisory on DarkSide ransomware is relevant to AI safety discussions around critical infrastructure security, cyber-physical system risks, and governance frameworks for protecting operational technology networks from malicious actors.
Metadata
Importance: 28/100guidance documentprimary source
Summary
A joint CISA and FBI cybersecurity advisory analyzing the DarkSide ransomware attack on a US pipeline company, detailing the ransomware-as-a-service model used. The advisory provides technical indicators of compromise and recommends mitigations including network segmentation between IT and OT systems, regular backup testing, and manual control testing to improve critical infrastructure resilience.
Key Points
- •DarkSide ransomware targeted a US pipeline company's IT network; no OT systems were directly compromised but were proactively disconnected as a precaution.
- •DarkSide operates as ransomware-as-a-service (RaaS), with developers sharing proceeds with criminal affiliates who deploy the malware.
- •Key mitigations include robust IT/OT network segmentation, isolated and regularly tested backups, and maintaining manual operational controls.
- •The malware collects and encrypts system information, sends it to C2 servers, deletes Volume Shadow copies, and generates ransom notes.
- •STIX-formatted indicators of compromise (IOCs) were shared with critical infrastructure partners to aid network defenders.
1 FactBase fact citing this source
| Entity | Property | Value | As Of |
|---|---|---|---|
| Colonial Pipeline (2021) | Incident Date | May 2021 | May 2021 |
Cached Content Preview
HTTP 200Fetched Apr 27, 202617 KB
Archived Content
In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
Cybersecurity Advisory
DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks
Last Revised July 08, 2021
Alert Code AA21-131A
Summary
This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, Version 9. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are aware of a ransomware attack affecting a critical infrastructure (CI) entity—a pipeline company—in the United States. Malicious cyber actors deployed DarkSide ransomware against the pipeline company’s information technology (IT) network.[1] At this time, there is no indication that the entity’s operational technology (OT) networks have been directly affected by the ransomware.
CISA and FBI urge CI asset owners and operators to adopt a heightened state of awareness and implement the recommendations listed in the Mitigations section of this Joint Cybersecurity Advisory, including implementing robust network segmentation between IT and OT networks; regularly testing manual controls; and ensuring that backups are implemented, regularly tested, and isolated from network connections. These mitigations will help CI owners and operators improve their entity's functional resilience by reducing their vulnerability to ransomware and the risk of severe business degradation if impacted by ransomware.
(Updated May 19, 2021): Click here for a STIX package of indicators of compromise (IOCs). Note: These IOCs were shared with critical infrastructure partners and network defenders on May 10, 2021. The applications listed in the IOCs were leveraged by the threat actors during the course of a compromise. Some of these applications might appear within an organization's enterprise to support legitimate purposes; however, these applications can be used by threat actors to aid in malicious exploitation of an organization's enterprise. CISA and FBI recommend removing any application not deemed necessary for day-to-day operations.
(Updated July 08, 2021) : Click here for downloadable IOCs associated with a sample of a DarkSide ransomware variant analyzed by CISA and FBI. Note: CISA and FBI have no evidence that this sample is related to the pipeline incident detailed in this CSA. This variant executes a dynamic-link library (DLL) program used to delete Volume Shadow copies available on the system. The malware collects, encrypts, and sends system information to the threat actor’s command and control (C2) domains and generates a ransom note to the victim. For more information about this variant, refer to Malware Analysis Report MAR-103
... (truncated, 17 KB total)Resource ID:
d0d5aeab7278c6d5 | Stable ID: sid_vlYzKlMHvw