{ "id": "b3302b0a-0fe0-4bdc-87d6-cfe135216c31", "created_at": "2026-04-06T00:17:58.559246Z", "updated_at": "2026-04-10T03:35:03.162101Z", "deleted_at": null, "sha1_hash": "c1c2db1232d47a81ffb5d41a8e428c9ec205ee65", "title": "Darkside Ransomware: Falcon Protects Customers | CrowdStrike", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 354930, "plain_text": "Darkside Ransomware: Falcon Protects Customers | CrowdStrike\r\nBy Karan Sood - Shaun Hurley - Adrian-Liviu Arsene\r\nArchived: 2026-04-05 21:57:02 UTC\r\nThe CrowdStrike Falcon® platform provides CrowdStrike clients with protection from DarkSide\r\nransomware\r\nDarkSide is a ransomware as a service (RaaS) associated with an eCrime group tracked by CrowdStrike as\r\nCARBON SPIDER\r\nRansomware incidents such as the DarkSide attack that disrupted a major fuel pipeline — one that transports\r\nalmost half of all fuel consumed on the East Coast of the United States — underscore the fragility of our critical\r\ninfrastructure, and the magnitude of the problems faced by the public and private sector leaders who are charged\r\nwith protecting it. “The vulnerability of infrastructure is significant to our national security and the operations of\r\nthis country,” said Shawn Henry, CrowdStrike CSO and President of CrowdStrike Services, in an interview for\r\nMSNBC. “These organized crime groups have been making billions of dollars by extorting U.S. companies and\r\nglobal companies that have not been able to protect themselves from this debilitating ransomware.”\r\nWho Was Behind the Pipeline Attack?\r\nDarkSide is associated with a criminal group tracked by CrowdStrike Intelligence as CARBON SPIDER. Security\r\nresearchers, customers and anyone interested in learning more about the technical tradecraft, the targeted verticals\r\nand the origin of CARBON SPIDER can explore the CrowdStrike Adversary Universe for intelligence on all\r\ntracked adversaries. This information is consistently updated, and enterprises can use it to defend their\r\norganizations against some of the most persistent adversaries active now. CARBON SPIDER first emerged in\r\n2013 and is known to conduct several different financially motivated operations. In the summer of 2020, it began\r\nusing ransomware and ultimately built and marketed its own ransomware as a service (RaaS), which it dubbed\r\n“DarkSide.”\r\nDarkSide operators traditionally focused on Windows machines and have recently expanded to Linux, targeting\r\nenterprise environments running unpatched VMware ESXi hypervisors or stealing vCenter credentials to log in to\r\nmanagement consoles directly, to encrypt virtual machine files. This tactic further increases the scope of affected\r\nsystems, placing additional pressure on victims to give in to ransom demands. DarkSide operators seemed to pride\r\nthemselves on their ability to vet affiliates that match a strictly defined set of criteria and adhere to their code of\r\nconduct. While the eCrime group claimed in the past that it will not target medical, educational or government\r\ninstitutions, it is clear that either its vetting process is not strict or some affiliates may not share their beliefs.\r\nDarkSide ransomware operators to whom this incident was attributed issued a statement claiming their goals are\r\nstrictly financially motivated, with no political affiliation or intent to cause societal problems. (According to Krebs\r\non Security, the DarkSide ransomware affiliate program behind the pipeline attack later “announced it was closing\r\nup shop after its servers were seized and someone drained the cryptocurrency from an account the group uses to\r\npay affiliates.”)\r\nhttps://www.crowdstrike.com/blog/falcon-protects-from-darkside-ransomware/\r\nPage 1 of 3\n\nThe CrowdStrike Falcon® platform incorporates intelligence derived from continuous monitoring of the tactics,\r\ntechniques and procedures of over 160 identified threat actors and numerous unnamed groups, enabling us to\r\nprotect organizations from sophisticated attacks, including DarkSide ransomware. CrowdStrike employs a\r\nlayered approach when it comes to detecting malware, including machine learning as well as indicators of attack\r\n(IOAs). As the screenshot below shows, the Falcon sensor is able to kill the ransomware process as soon as the\r\nfile encryption behavior is seen.\r\n(Click to enlarge)\r\nThis video demonstrates how the DarkSide ransomware sample is immediately blocked and quarantined by\r\nFalcon upon execution. CrowdStrike’s machine learning engine is part of the Falcon agent and can protect the\r\nsystem online or offline. In addition to machine learning, CrowdStrike Falcon®’s built-in behavioral detection\r\nalso identifies the rapid encryption of files and blocks the ransomware execution to protect the system.\r\nCrowdStrike takes layered security to the next level by integrating machine learning and behavioral detection\r\nwithin a single lightweight agent to protect those systems critical to our customers.\r\nRecommendations\r\nOrganizations that are being hit with DarkSide or other ransomware risk a significant impact to their business\r\noperations for a protracted period of time. Companies have to protect themselves, making sure they have the right\r\ntechnology in place and the right visibility into their environments so that they can disrupt these operations\r\nthrough their security infrastructure.\r\nThe U.S. government, law enforcement and security companies understandably recommend that companies do not\r\ngive in to ransomware and extortion demands. Unfortunately, public and private entities are sometimes stuck in a\r\nsituation where they cannot reconstitute their environment, making an attack an existential threat to the\r\norganization. Therefore, it’s vitally important for companies to protect themselves before an incident occurs,\r\nespecially as ransomware is a prolific business that adversaries will continue to invest in.\r\nProtecting our customers against threats like DarkSide ransomware and sophisticated adversaries like CARBON\r\nSPIDER is something the CrowdStrike platform does every day. Organizations currently leveraging the Falcon\r\nplatform can quickly and effectively detect and protect against DarkSide ransomware and other BGH attacks.\r\nIndependent third-party validation also supports the strength of our platform. CrowdStrike Falcon® has recently\r\nbeen named a leader in the Gartner 2021 Magic Quadrant for Endpoint Protection Platforms (EPP) and The\r\nForrester Wave™ Endpoint Security Software As A Service. In addition, CrowdStrike Falcon® has consistently\r\nhttps://www.crowdstrike.com/blog/falcon-protects-from-darkside-ransomware/\r\nPage 2 of 3\n\nproven its detection and protection capabilities in tests performed by leading independent testing organizations,\r\nsuch as MITRE, SE Labs, AV-TEST and AV-Comparatives. By deploying the Falcon platform and following the\r\nrecommended “1-10-60” benchmark time (one minute to detect an incident, 10 minutes to investigate and one\r\nhour to remediate), organizations will have the best available protection for their operations and data from\r\nransomware attacks like DarkSide.\r\nAdditional Resources\r\nLearn about recent intrusion trends, adversary tactics and highlights of notable intrusions in the\r\nCrowdStrike 2021 Global Threat Report.\r\nUnderstand the trends and themes that we observed while responding to and remediating incidents around\r\nthe globe in 2020 — download the latest CrowdStrike Services Cyber Front Lines Report.\r\nLearn more about the CrowdStrike Falcon® platform by visiting the product webpage.\r\nTest CrowdStrike next-gen AV for yourself. Start your free trial of Falcon Prevent™ today.\r\nSource: https://www.crowdstrike.com/blog/falcon-protects-from-darkside-ransomware/\r\nhttps://www.crowdstrike.com/blog/falcon-protects-from-darkside-ransomware/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.crowdstrike.com/blog/falcon-protects-from-darkside-ransomware/" ], "report_names": [ "falcon-protects-from-darkside-ransomware" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434678, "ts_updated_at": 1775792103, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c1c2db1232d47a81ffb5d41a8e428c9ec205ee65.pdf", "text": "https://archive.orkl.eu/c1c2db1232d47a81ffb5d41a8e428c9ec205ee65.txt", "img": "https://archive.orkl.eu/c1c2db1232d47a81ffb5d41a8e428c9ec205ee65.jpg" } }