CISA and FBI alert: DarkSide ransomware used in Colonial Pipeline cyberattack (and mitigation guidance) – updated

CISA and FBI alert: DarkSide ransomware used in Colonial Pipeline cyberattack (and mitigation guidance)

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have published a joint cybersecurity alert on a new ransomware variant “DarkSide” used in recent cyberattack against pipeline operator Colonial Pipeline. The alert also includes best practice guidance in disrupting ransomware attacks.

Cybercriminals have developed DarkSide as a ransomware-as-a-service (RaaS) variant, whereby the actors receive a share of the proceeds from other cybercriminals (or “affiliates”) who deploy the ransomware. The DarkSide group has allegedly targeted larger organizations that can afford to pay large ransoms, unlike other ransomware groups that target hospitals, schools, non-profits and governments.

An excerpt from the joint CISA and FBI alert:

“Cybercriminal groups use DarkSide to gain access to a victim’s network to encrypt and exfiltrate data. These groups then threaten to expose data if the victim does not pay the ransom. Groups leveraging DarkSide have recently been targeting organizations across various CI sectors including manufacturing, legal, insurance, healthcare, and energy.”


Last weekend, the ransomware attack crippled the largest U.S. pipeline operator, Colonial Pipeline, shutting down 45% of the East Coast’s supply of fuel. As a result, the US Department of Transportation (USDOT) later issued an emergency waiver to allow easier transports of fuel by truck in those states affected.

The pipeline operator transports 2.5 million barrels a day through its pipelines or 45% of the East Coast’s supply of diesel, petrol and jet fuel.

Colonial Pipeline took itself offline after discovering the cyberattack last Friday.

However, the operator provided an update regarding system restarts on May 13:

“Colonial Pipeline has made substantial progress in safely restarting our pipeline system and can report that product delivery has commenced in a majority of the markets we service. By mid-day today, we project that each market we service will be receiving product from our system.”

Colonial Pipeline

The operator previously confirmed pipeline operations had restarted on May 12 at 5 P.M. Eastern Time.

Ransomware Mitigation Guidance

The CISA and FBI alert also included sound mitigation guidance to help organizations disrupt ransomware attacks.

A summary of ransomware mitigation guidance includes:

  • Use multi-factor authentication (MFA).
  • Enable strong spam filters to prevent phishing emails.
  • Implement a user training program and simulated attacks for spearphishing.
  • Filter egress network traffic to known malicious IPs and implement URL blocklists (e.g., forward proxy).
  • Patch all software and firmware in timely manner.
  • Limit remote desktop protocol (RDP), along with MFA.
  • Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses. Prevent users from accessing malicious websites by implementing URL blocklists and/or allowlists.
  • Use anti-virus/anti-malware to scan IT networks regularly and ensure up-to-date signatures.
  • Prohibit execution of unauthorized programs (e.g., disable Office macros in files sent via email, application allowlisting, monitor/block inbound connections from Tor exit nodes).

Readers can check out more details on the DarkSide ransomware by checking out the CISA/FBI report and also Colonial cyberattack.

Update May 19, 2021 (original posting May 14, 2021):

The FBI and CISA issued an update to the previous DarkSide ransomware advisory that now includes a downloadable STIX file of indicators of compromise (IOCs) to help network defenders find and mitigate activity associated with the ransomware.

Related Articles