{
	"id": "969fefc2-4371-4a54-a1fe-b43bdeccd57f",
	"created_at": "2026-04-06T00:16:25.369096Z",
	"updated_at": "2026-04-10T03:22:13.98318Z",
	"deleted_at": null,
	"sha1_hash": "e6e949af5ad889eea047e444aa3c5abc9bc035fe",
	"title": "The DarkSide of the Ransomware Pipeline | Splunk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 423955,
	"plain_text": "The DarkSide of the Ransomware Pipeline | Splunk\r\nBy James Brodsky\r\nPublished: 2021-05-11 · Archived: 2026-04-05 19:57:59 UTC\r\nAuthors and Contributors: Mick Baccio, Ryan Kovar, Marcus LaFerrera, Michael Natkin, John Stoner, and Bill\r\nWright.\r\nIf you want to quickly find out how to use Splunk to find activity related to the DarkSide Ransomware, skip to the\r\n“Detection and Remediation of DarkSide” section. Otherwise, read on for a quick breakdown of what happened\r\nto the Colonial Pipeline, how to detect the ransomware, and view MITRE ATT\u0026CK mappings.\r\nIntroduction to the Colonial Pipeline Ransomware Attack\r\nhttps://www.splunk.com/en_us/blog/security/the-darkside-of-the-ransomware-pipeline.html\r\nPage 1 of 5\n\nIt might be more expensive for you to take that Great American Road Trip this summer because filling up the tank\r\nof the Family Truckster may cost you some serious Dogecoin. Let us give you a little bit more color on this:\r\nLate on Friday, May 7th, one of the US’s largest gasoline pipelines was preemptively shut down by operator\r\nColonial Pipeline, because their corporate computer networks were affected by Ransomware-as-a-Service\r\nauthored and maintained by the group DarkSide. This 5500 mile pipeline transports about 45% of the East Coast’s\r\nfuel supplies, and at the time of this blog, Colonial Pipeline had not returned to full operation. Now, mind you, the\r\nransomware did not directly cause the pipeline to shut down - rather, Colonial shut down operations voluntarily\r\nout of an abundance of caution. But until they can be sure that the adversary leveraging the DarkSide ransomware\r\nfor the attack does not have the ability to affect operations, the pipeline will remain dry. Colonial is hoping to get\r\nthe pipeline back to operation by the end of this week.\r\nRegardless of how all of this plays out, what Splunk customers want to know is how to detect and mitigate\r\nDarkSide ransomware, especially if they work in critical infrastructure. In fact, last year CISA released an alert\r\nabout ransomware targeting pipeline operators - so we know this is a big deal. And, they just updated it today with\r\nnew alert guidance (AA21-131A) specific to DarkSide.\r\nAfter review, we’re happy to find that the behavior of this ransomware isn’t particularly novel, and all of the\r\nguidance we’ve shared for years on ransomware detection and mitigation applies. Let’s review that guidance, and\r\nupdate it where appropriate.\r\nWhat You Need to Know\r\nOne of the last significant ransomware events was the Ryuk ransomware at the end of October 2020, however our\r\nspecialists pointed out that Ryuk wasn’t particularly novel in terms of its operation. Our Threat Research team also\r\nposted about detecting the Clop ransomware last month and recently updated further.\r\nIs the DarkSide variant of ransomware more interesting than either of these? No, it isn’t! However, there’s\r\nsignificant worldwide interest because of the target chosen. We also see these “affiliate” actors attempt a “double\r\nextortion” where not only have they encrypted critical business data, they’re also threatening to release it publicly\r\nif additional ransom is not paid. DarkSide also contains a killswitch if it detects a Russian language environment.\r\nThere are also reports that the ongoing global pandemic has made infections like this easier, because operational\r\nstaff may be working from home and that may broaden the attack surface. However, this is not new, as remote\r\naccess for Operational Technology (OT) networks is commonplace and long predates the pandemic.\r\nSplunk \u0026 Ransomware: Not Our First Rodeo\r\nAs we’ve stated, this blog ain’t the first time we’re covering our approach to Ransomware. Feast your eyes on the\r\nfollowing corpus of material from days of yore:\r\n.conf talks and videos\r\nSplunking the Endpoint 2016: Ransomware Edition! and Video\r\nHow Splunk Can Help You Prevent Ransomware From Holding Your Business Hostage\r\nhttps://www.splunk.com/en_us/blog/security/the-darkside-of-the-ransomware-pipeline.html\r\nPage 2 of 5\n\nWindows Ransomware Detection with Splunk (1 of 6) – Vulnerability Detection and Windows\r\nPatch Status\r\nDetections Blogs\r\nClop Ransomware Detection: Threat Research Release, April 2021\r\nRyuk and Splunk Detections Splunk Blogs\r\nDetecting Ryuk Using Splunk Attack Range\r\nWhitepaper\r\nSplunk Security: Detecting Unknown Malware and Ransomware\r\nPhantom Responses\r\nAutomate Your Response to WannaCry Ransomware\r\nPlaybook: Detect, Block, Contain, and Remediate Ransomware\r\nMachine Learning Method\r\nDetect Ransomware in Your Data with the Machine Learning Cloud Service\r\nOperationalizing Detections\r\nOperationalize Ransomware Detections Quickly and Easily with Splunk\r\nAlso, looking for some fun Ransomware eye-candy to survey the kinds of infections rampant within the US over\r\nthe past several years? Check out this interactive map from Statescoop.\r\nAs regular readers of our blogs will expect, we normally fill this section with TTPs pulled from the zero-day or\r\npossibly a breakdown of a new malware variant. But, after reviewing the last six seven years of content that\r\nSplunk has created, we are again proud to say we already have you covered. In the list of detections below, you\r\nwill notice that we did not break out IOCs. As David Bianco has pyramidized in the past, IOCs are ephemeral and\r\nchange often! I recommend working with a threat intel provider for any low-level IOCs like hashes or IPs. Throw\r\nthem into a Lookup table or ES threat intel framework, and off you go! If you don’t have a threat intel provider,\r\nstart skimming Twitter for some tremendous open-source lists.\r\nThe fine folks at CyberReason have a detailed walkthrough of how DarkSide behaves after the initial foothold.\r\nFrom a Splunk detection perspective, here are some things we suggest collecting:\r\nProcess execution logs, from our favorite Windows Security 4688 events, or Sysmon EventCode 1, or any\r\ncommercial EDR, are, as always, key to detection of the parent/child process relationships involved in\r\nactions on intent and lateral movement as well as the deletion of Volume Shadow Copies.\r\nPowerShell Script Block Logging is also critical, so that you can detect certain modules like\r\nWebClient.DownloadFile being used where you don’t expect, as well as the use of encoded PowerShell.\r\nWindows System events, so that you can detect Scheduled Tasks being created and enabled (4698, 4700).\r\nhttps://www.splunk.com/en_us/blog/security/the-darkside-of-the-ransomware-pipeline.html\r\nPage 3 of 5\n\nAnd as always, unusual network connections from servers and endpoints (can be accomplished via firewall,\r\nproxy, Sysmon EventCode 3, or EDR logs) and DNS query logging will be helpful.\r\nSplunk Security Essentials\r\nIn case you are unaware (or living under a rock for the last two years), Splunk Security Essentials is the place to\r\nget Splunk’s security content. And since our last-go round with Ryuk, we’ve updated Splunk Security Essentials\r\nand made it a fully-supported Splunk product (but it’s still free!). When you boot up the app, navigate to “Security\r\nContent Library,” and search for Ransomware, you get a plethora of content!\r\nSplunk Security Essentials - Ransomware content\r\nSplunk Enterprise Security and ESCU\r\nKnow Thyself\r\nWhile we have spent some time explaining this attack and effort needs to be put toward investigating this, it is\r\nalso important to note that the basics are important. Basic asset management, hopefully via your asset and identity\r\nframework, will tell you where your vulnerable systems reside. Running regular vulnerability scans that integrate\r\ninto Splunk will display which systems are vulnerable and can help you prioritize your patching schedule and\r\nbetter focus your detection efforts.\r\nSplunk Enterprise Security and ESCU\r\nThreat Intelligence Framework\r\nIf you are using Splunk Enterprise Security (ES), many organizations are posting IOCs that can be ingested easily\r\ninto the threat intelligence framework. Perhaps you aren’t sure how to do that? No worries, we published some\r\nguidance and a how-to on integrating lists of IOCs into the Enterprise Security threat intelligence framework. We\r\nwon’t be publishing a list of IOCs along with this blog as they are quite ephemeral, but use of the Threat\r\nIntelligence Framework (or standard lookups within Splunk) will allow you to easily perform IOC matching.\r\nEnterprise Security Content Updates (ESCU)\r\nFor folks using ESCU, our Splunk Threat Research team will release a new Splunk Analytic Story called Darkside\r\nRansomware by the end of this week containing detections for this threat. Saying that, check out the MITRE\r\nATT\u0026CK table below. If you have ESCU running today, you already have some great coverage!\r\nMITRE ATT\u0026CK\r\nReviewing one of the first blog posts on DarkSide Ransomware from Digital Shadows in September 2020, we\r\nextracted their MITRE ATT\u0026CK tactics and then linked to Splunk Content to help you hunt for that information.\r\nBe aware; these searches are provided as a way to accelerate your hunting. We recommend you configure them via\r\nthe Splunk Security Essentials App. You may need to modify them to work in your environment! Many of these\r\nsearches are optimized for use with the tstats command.\r\nhttps://www.splunk.com/en_us/blog/security/the-darkside-of-the-ransomware-pipeline.html\r\nPage 4 of 5\n\nFinally, as more information becomes available, we will update these searches if more ATT\u0026CK TTPs become\r\nknown.\r\nConclusion\r\nWe know that such a publicly visible example of the impact of Ransomware can stoke visceral fear, but we’ve got\r\nyour back. Hopefully, these searches, blogs, videos, conference papers, and whitepapers will provide you the\r\nability to have more visibility into your environment and any malicious activity that you might be experiencing. If\r\nthey don’t work perfectly, think of them as “SplunkSpiration” :-). As soon as we have more information, we will\r\nupdate this blog and, as we talked about earlier, be on the lookout for some more detailed info about DarkSide and\r\nan Analytic Story delivered via ESCU from our Splunk Threat Research team.\r\nSource: https://www.splunk.com/en_us/blog/security/the-darkside-of-the-ransomware-pipeline.html\r\nhttps://www.splunk.com/en_us/blog/security/the-darkside-of-the-ransomware-pipeline.html\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.splunk.com/en_us/blog/security/the-darkside-of-the-ransomware-pipeline.html"
	],
	"report_names": [
		"the-darkside-of-the-ransomware-pipeline.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434585,
	"ts_updated_at": 1775791333,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e6e949af5ad889eea047e444aa3c5abc9bc035fe.pdf",
		"text": "https://archive.orkl.eu/e6e949af5ad889eea047e444aa3c5abc9bc035fe.txt",
		"img": "https://archive.orkl.eu/e6e949af5ad889eea047e444aa3c5abc9bc035fe.jpg"
	}
}