For more information about this variant, refer to Malware Analysis Report MAR-10337802-1.v1: DarkSide Ransomware.Ĭlick here for a PDF version of this report. The malware collects, encrypts, and sends system information to the threat actor’s command and control (C2) domains and generates a ransom note to the victim. This variant executes a dynamic-link library (DLL) program used to delete Volume Shadow copies available on the system. Note: CISA and FBI have no evidence that this sample is related to the pipeline incident detailed in this CSA. (Updated July 08, 2021): Click here for downloadable IOCs associated with a sample of a DarkSide ransomware variant analyzed by CISA and FBI.CISA and FBI recommend removing any application not deemed necessary for day-to-day operations. Some of these applications might appear within an organization's enterprise to support legitimate purposes however, these applications can be used by threat actors to aid in malicious exploitation of an organization's enterprise. The applications listed in the IOCs were leveraged by the threat actors during the course of a compromise. Note: These IOCs were shared with critical infrastructure partners and network defenders on May 10, 2021. (Updated May 19, 2021): Click here for a STIX package of indicators of compromise (IOCs).These mitigations will help CI owners and operators improve their entity's functional resilience by reducing their vulnerability to ransomware and the risk of severe business degradation if impacted by ransomware.
At this time, there is no indication that the entity’s operational technology (OT) networks have been directly affected by the ransomware.ĬISA and FBI urge CI asset owners and operators to adopt a heightened state of awareness and implement the recommendations listed in the Mitigations section of this Joint Cybersecurity Advisory, including implementing robust network segmentation between IT and OT networks regularly testing manual controls and ensuring that backups are implemented, regularly tested, and isolated from network connections. Malicious cyber actors deployed DarkSide ransomware against the pipeline company’s information technology (IT) network. The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are aware of a ransomware attack affecting a critical infrastructure (CI) entity-a pipeline company-in the United States. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.
This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, Version 9.