{
	"id": "cc019913-a636-4842-acec-26383f641c92",
	"created_at": "2026-04-06T00:16:40.812203Z",
	"updated_at": "2026-04-10T03:20:22.671247Z",
	"deleted_at": null,
	"sha1_hash": "f3b60fb55e8f20487cfaaeec3d4e93e8a3c7b78a",
	"title": "DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 116839,
	"plain_text": "DarkSide Ransomware: Best Practices for Preventing Business\r\nDisruption from Ransomware Attacks | CISA\r\nPublished: 2021-07-08 · Archived: 2026-04-05 21:16:40 UTC\r\nSummary\r\nThis Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT\u0026CK®)\r\nframework, Version 9. See the ATT\u0026CK for Enterprise for all referenced threat actor tactics and techniques.\r\nThe Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are\r\naware of a ransomware attack affecting a critical infrastructure (CI) entity—a pipeline company—in the United\r\nStates. Malicious cyber actors deployed DarkSide ransomware against the pipeline company’s information\r\ntechnology (IT) network.[1] At this time, there is no indication that the entity’s operational technology (OT)\r\nnetworks have been directly affected by the ransomware.\r\nCISA and FBI urge CI asset owners and operators to adopt a heightened state of awareness and implement the\r\nrecommendations listed in the Mitigations section of this Joint Cybersecurity Advisory, including implementing\r\nrobust network segmentation between IT and OT networks; regularly testing manual controls; and ensuring that\r\nbackups are implemented, regularly tested, and isolated from network connections. These mitigations will help CI\r\nowners and operators improve their entity's functional resilience by reducing their vulnerability to ransomware\r\nand the risk of severe business degradation if impacted by ransomware.\r\n(Updated May 19, 2021): Click here for a STIX package of indicators of compromise (IOCs). Note:\r\nThese IOCs were shared with critical infrastructure partners and network defenders on May 10, 2021. The\r\napplications listed in the IOCs were leveraged by the threat actors during the course of a compromise.\r\nSome of these applications might appear within an organization's enterprise to support legitimate purposes;\r\nhowever, these applications can be used by threat actors to aid in malicious exploitation of an\r\norganization's enterprise. CISA and FBI recommend removing any application not deemed necessary for\r\nday-to-day operations.\r\n(Updated July 08, 2021): Click here for downloadable IOCs associated with a sample of a DarkSide\r\nransomware variant analyzed by CISA and FBI. Note: CISA and FBI have no evidence that this sample is\r\nrelated to the pipeline incident detailed in this CSA. This variant executes a dynamic-link library (DLL)\r\nprogram used to delete Volume Shadow copies available on the system. The malware collects, encrypts,\r\nand sends system information to the threat actor’s command and control (C2) domains and generates a\r\nransom note to the victim. For more information about this variant, refer to Malware Analysis Report\r\nMAR-10337802-1.v1: DarkSide Ransomware. \r\nClick here for a PDF version of this report.\r\nTechnical Details\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-131a\r\nPage 1 of 6\n\nNote: the analysis in this Joint Cybersecurity Advisory is ongoing, and the information provided should not be\r\nconsidered comprehensive. CISA and FBI will update this advisory as new information is available.\r\nAfter gaining initial access to the pipeline company’s network, DarkSide actors deployed DarkSide ransomware\r\nagainst the company’s IT network. In response to the cyberattack, the company has reported that they proactively\r\ndisconnected certain OT systems to ensure the systems’ safety.[2] At this time, there are no indications that the\r\nthreat actor moved laterally to OT systems.\r\nDarkSide is ransomware-as-a-service (RaaS)—the developers of the ransomware receive a share of the proceeds\r\nfrom the cybercriminal actors who deploy it, known as “affiliates.” According to open-source reporting, since\r\nAugust 2020, DarkSide actors have been targeting multiple large, high-revenue organizations, resulting in the\r\nencryption and theft of sensitive data. The DarkSide group has publicly stated that they prefer to target\r\norganizations that can afford to pay large ransoms instead of hospitals, schools, non-profits, and governments.[3],\r\n[4 ]\r\nAccording to open-source reporting, DarkSide actors have previously been observed gaining initial access through\r\nphishing and exploiting remotely accessible accounts and systems and Virtual Desktop Infrastructure (VDI)\r\n(Phishing [T1566] , Exploit Public-Facing Application [T1190 ], External Remote Services [T1133 ]).[5 ],\r\n[6 ] DarkSide actors have also been observed using Remote Desktop Protocol (RDP) to maintain Persistence\r\n[TA0003 ].[7 ]\r\nAfter gaining access, DarkSide actors deploy DarkSide ransomware to encrypt and steal sensitive data (Data\r\nEncrypted for Impact [T1486 ]). The actors then threaten to publicly release the data if the ransom is not paid.\r\n[8],[9 ] The DarkSide ransomware uses Salsa20 and RSA encryption.[10 ]\r\nDarkSide actors primarily use The Onion Router (TOR) for Command and Control (C2) [TA0011 ] (Proxy:\r\nMulti-hop Proxy [1090.003 ]).[11],[12 ] The actors have also been observed using Cobalt Strike for C2.[13\r\n]\r\nMitigations\r\nCISA and FBI urge CI owners and operators to apply the following mitigations to reduce the risk of compromise\r\nby ransomware attacks.\r\nRequire multi-factor authentication for remote access to OT and IT networks.\r\nEnable strong spam filters to prevent phishing emails from reaching end users. Filter emails\r\ncontaining executable files from reaching end users.\r\nImplement a user training program and simulated attacks for spearphishing to discourage users from\r\nvisiting malicious websites or opening malicious attachments and re-enforce the appropriate user responses\r\nto spearphishing emails.\r\nFilter network traffic to prohibit ingress and egress communications with known malicious IP addresses.\r\nPrevent users from accessing malicious websites by implementing URL blocklists and/or allowlists.\r\nUpdate software, including operating systems, applications, and firmware on IT network assets, in a\r\ntimely manner. Consider using a centralized patch management system; use a risk-based assessment\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-131a\r\nPage 2 of 6\n\nstrategy to determine which OT network assets and zones should participate in the patch management\r\nprogram.\r\nLimit access to resources over networks, especially by restricting RDP. After assessing risks, if RDP is\r\ndeemed operationally necessary, restrict the originating sources and require multi-factor authentication.\r\nSet antivirus/antimalware programs to conduct regular scans of IT network assets using up-to-date\r\nsignatures. Use a risk-based asset inventory strategy to determine how OT network assets are identified and\r\nevaluated for the presence of malware.\r\nImplement unauthorized execution prevention by:\r\nDisabling macro scripts from Microsoft Office files transmitted via email. Consider using Office\r\nViewer software to open Microsoft Office files transmitted via email instead of full Microsoft\r\nOffice suite applications.\r\nImplementing application allowlisting, which only allows systems to execute programs known\r\nand permitted by security policy. Implement software restriction policies (SRPs) or other controls to\r\nprevent programs from executing from common ransomware locations, such as temporary folders\r\nsupporting popular internet browsers or compression/decompression programs, including the\r\nAppData/LocalAppData folder.\r\nMonitor and/or block inbound connections from Tor exit nodes and other anonymization\r\nservices to IP addresses and ports for which external connections are not expected (i.e., other than\r\nVPN gateways, mail ports, web ports). For more guidance, refer to Joint Cybersecurity Advisory\r\nAA20-183A: Defending Against Malicious Cyber Activity Originating from Tor.\r\nDeploy signatures to detect and/or block inbound connection from Cobalt Strike servers and\r\nother post exploitation tools.\r\nCISA and FBI urge CI owners and operators to apply the following mitigations now to reduce the risk of severe\r\nbusiness or functional degradation should their CI entity fall victim to a ransomware attack in the future.\r\nImplement and ensure robust network segmentation between IT and OT networks to limit the ability\r\nof adversaries to pivot to the OT network even if the IT network is compromised. Define a demilitarized\r\nzone that eliminates unregulated communication between the IT and OT networks.\r\nOrganize OT assets into logical zones by taking into account criticality, consequence, and operational\r\nnecessity. Define acceptable communication conduits between the zones and deploy security controls to\r\nfilter network traffic and monitor communications between zones. Prohibit industrial control system (ICS)\r\nprotocols from traversing the IT network.\r\nIdentify OT and IT network inter-dependencies and develop workarounds or manual controls to\r\nensure ICS networks can be isolated if the connections create risk to the safe and reliable operation of OT\r\nprocesses. Regularly test contingency plans such as manual controls so that safety critical functions can be\r\nmaintained during a cyber incident. Ensure that the OT network can operate at necessary capacity even if\r\nthe IT network is compromised.\r\nRegularly test manual controls so that critical functions can be kept running if ICS or OT networks need\r\nto be taken offline.\r\nImplement regular data backup procedures on both the IT and OT networks. Backup procedures should\r\nbe conducted on a frequent, regular basis. The data backup procedures should also address the following\r\nbest practices:\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-131a\r\nPage 3 of 6\n\nEnsure that backups are regularly tested.\r\nStore your backups separately. Backups should be isolated from network connections that could\r\nenable the spread of ransomware. It is important that backups be maintained offline as many\r\nransomware variants attempt to find and encrypt or delete accessible backups. Maintaining current\r\nbackups offline is critical because if your network data is encrypted with ransomware, your\r\norganization can restore systems to its previous state. Best practice is to store your backups on a\r\nseparate device that cannot be accessed from a network, such as on an external hard drive. (See the\r\nSoftware Engineering Institute’s page on ransomware ).\r\nMaintain regularly updated “gold images” of critical systems in the event they need to be\r\nrebuilt. This entails maintaining image “templates” that include a preconfigured operating system\r\n(OS) and associated software applications that can be quickly deployed to rebuild a system, such as\r\na virtual machine or server.\r\nRetain backup hardware to rebuild systems in the event rebuilding the primary system is not\r\npreferred. Hardware that is newer or older than the primary system can present installation or\r\ncompatibility hurdles when rebuilding from images.\r\nStore source code or executables. It is more efficient to rebuild from system images, but some\r\nimages will not install on different hardware or platforms correctly; having separate access to\r\nneeded software will help in these cases.\r\nEnsure user and process accounts are limited through account use policies, user account control, and\r\nprivileged account management. Organize access rights based on the principles of least privilege and\r\nseparation of duties.\r\nIf your organization is impacted by a ransomware incident, CISA and FBI recommend the following actions:\r\nIsolate the infected system. Remove the infected system from all networks, and disable the computer’s\r\nwireless, Bluetooth, and any other potential networking capabilities. Ensure all shared and networked\r\ndrives are disconnected, whether wired or wireless.  \r\nTurn off other computers and devices. Power-off and segregate (i.e., remove from the network) the\r\ninfected computer(s). Power-off and segregate any other computers or devices that shared a network with\r\nthe infected computer(s) that have not been fully encrypted by ransomware. If possible, collect and secure\r\nall infected and potentially infected computers and devices in a central location, making sure to clearly\r\nlabel any computers that have been encrypted. Powering-off and segregating infected computers and\r\ncomputers that have not been fully encrypted may allow for the recovery of partially encrypted files by\r\nspecialists. (See Before You Connect a New Computer to the Internet for tips on how to make a computer\r\nmore secure before you reconnect it to a network.)\r\nSecure your backups. Ensure that your backup data is offline and secure. If possible, scan your backup\r\ndata with an antivirus program to check that it is free of malware.\r\nRefer to Joint Cybersecurity Advisory: AA20-245A: Technical Approaches to Uncovering and\r\nRemediating Malicious Activity for more best practices on incident response.\r\nNote: CISA and the FBI do not encourage paying a ransom to criminal actors. Paying a ransom may embolden\r\nadversaries to target additional organizations, encourage other criminal actors to engage in the distribution of\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-131a\r\nPage 4 of 6\n\nransomware, and/or may fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will\r\nbe recovered. CISA and FBI urge you to report ransomware incidents to your local FBI field office.\r\nCISA offers a range of no-cost cyber hygiene services to help CI organizations assess, identify and reduce their\r\nexposure to threats, including ransomware. By requesting these services, organizations of any size could find ways\r\nto reduce their risk and mitigate attack vectors.\r\nResources\r\nCISA and MS-ISAC: Joint Ransomware Guide\r\nCISA: Ransomware page\r\nCISA Tip: Protecting Against Ransomware\r\nCISA: CISA Ransomware One-Pager and Technical Document\r\nCISA Insights: Ransomware Outbreak\r\nCISA: Pipeline Cybersecurity Initiative\r\nCISA Webinar: Combating Ransomware\r\nCISA: Cybersecurity Practices for Industrial Control Systems\r\nFBI: Incidents of Ransomware on the Rise\r\nNational Security Agency (NSA): Stop Malicious Cyber Activity Against Connected Operational\r\nTechnology\r\nDepartment of Energy: Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model\r\nTransportation Security Agency: Pipeline Security Guidelines\r\nNational Institute of Standards and Technology (NIST): Framework for Improving Critical Infrastructure\r\nCybersecurity\r\nNIST: Ransomware Protection and Response\r\nNIST: Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events\r\nNIST: Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events\r\nNIST: Data Integrity: Recovering from Ransomware and Other Destructive Events\r\nNIST: Guide to Industrial Control Systems (ICS) Security\r\nSoftware Engineering Institute: Ransomware: Best Practices for Prevention and Response\r\nNIST Fact Sheet: How Do I Stay Prepared?\r\nContact Information\r\nVictims of ransomware should report it immediately to CISA at https://us-cert.cisa.gov/report, a local FBI Field\r\nOffice, or U.S. Secret Service Field Office. To report suspicious or criminal activity related to information found\r\nin this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the\r\nFBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov . When available,\r\nplease include the following information regarding the incident: date, time, and location of the incident; type of\r\nactivity; number of people affected; type of equipment used for the activity; the name of the submitting company\r\nor organization; and a designated point of contact. To request incident response resources or technical assistance\r\nrelated to these threats, contact CISA at central@cisa.dhs.gov .\r\nReferences\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-131a\r\nPage 5 of 6\n\n[1] Colonial Pipeline Media Statement on Pipeline Disruption\r\n[2] Ibid\r\n[3] SonicWall: Darkside Ransomware Targets Large Corporations. Charges up to $2M.\r\n[4] Varonis: Return of the Darkside: Analysis of a Large-Scale Data Theft Campaign\r\n[5] BankInfo Security: FBI: DarkSide Ransomware Used in Colonial Pipeline Attack\r\n[6] Varonis: Return of the Darkside: Analysis of a Large-Scale Data Theft Campaign\r\n[7] Ibid\r\n[8] SonicWall: Darkside Ransomware Targets Large Corporations. Charges up to $2M\r\n[9] Varonis: Return of the Darkside: Analysis of a Large-Scale Data Theft Campaign\r\n[10] McAfee: Threat Landscape Dashboard DarkSide – Ransomware\r\n[11] SonicWall: Darkside Ransomware Targets Large Corporations. Charges up to $2M\r\n[12] Varonis: Return of the Darkside: Analysis of a Large-Scale Data Theft Campaign\r\n[13] McAfee: Threat Landscape Dashboard DarkSide – Ransomware\r\nRevisions\r\nMay 11, 2021: Initial Version|May 12, 2021: Added additional resources|May 19, 2021: Added IOCs|July 8, 2021:\r\nAdded MAR-10337802-1.v1 and associated IOCs\r\nSource: https://us-cert.cisa.gov/ncas/alerts/aa21-131a\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-131a\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://us-cert.cisa.gov/ncas/alerts/aa21-131a"
	],
	"report_names": [
		"aa21-131a"
	],
	"threat_actors": [],
	"ts_created_at": 1775434600,
	"ts_updated_at": 1775791222,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f3b60fb55e8f20487cfaaeec3d4e93e8a3c7b78a.pdf",
		"text": "https://archive.orkl.eu/f3b60fb55e8f20487cfaaeec3d4e93e8a3c7b78a.txt",
		"img": "https://archive.orkl.eu/f3b60fb55e8f20487cfaaeec3d4e93e8a3c7b78a.jpg"
	}
}