CISA and FBI Advisory on Darkside Ransomware – Updated July 13, 2021

Author: Charles Egli

Created: Tuesday, July 13, 2021 - 16:15

Categories: Cybersecurity

July 13, 2021

The Cybersecurity and Infrastructure Security Agency (CISA) has published a Malware Analysis Report (MAR) on the DarkSide ransomware and updated its alert that it co-authored with the FBI. The MAR is for a variant of the DarkSide ransomware, which CISA notes was note related to the attack on the Colonial Pipeline. It addition to providing the variant’s technical details, the MAR includes suggested response actions and recommended mitigation techniques to help network defenders identify and mitigate risks. This updated alert adds indicators of compromise and other details associated with the variant. Access the MAR and updated alert at CISA.

May 20, 2021

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have published an updated advisory on the Darkside ransomware, which was used in the recent attack on the Colonial Pipeline. This update provides a downloadable STIX file of indicators of compromise (IOCs) to help network defenders find and mitigate activity associated with DarkSide ransomware. CISA and the FBI shared these IOCs with critical infrastructure partners and network defenders last week, including in the original advisory that WaterISAC reported to members on May 11. Access the updated advisory at CISA.

May 11, 2021

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI are urging critical infrastructure asset owners and operators to adopt a heightened state of awareness and implement the recommendations listed in the just-released advisory, “DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks.” This advisory provides technical details on Darkside actors and some of their known tactics and preferred targets. According to open-source reporting, Darkside actors have been targeting multiple large, high-revenue organizations. Also, the actors have previously been observed gaining initial access through phishing, exploiting remotely accessible accounts and systems and virtual desktop infrastructure.

Read the advisory at CISA.

In addition to the cybersecurity advisory, CISA and FBI urge critical infrastructure asset owners and operators to review the following resources for best practices on strengthening cybersecurity posture:

Joint Ransomware Guide (CISA and Multi-State Information Sharing and Analysis Center)
CISA Ransomware Webpage: Ransomware Guidance and Resources
CISA Insights: Ransomware Outbreak
CISA Pipeline Cybersecurity Initiative
CISA Pipeline Cybersecurity Resources Library

CISA encourages victims of ransomware to report incidents immediately to CISA, a local FBI Field Office, or a Secret Service Field Office.