CISA-FBI Cybersecurity Advisory on DarkSide Ransomware following Colonial Pipeline cyberattack

CISA and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory (CSA) on a ransomware-as-a-service (RaaS) variant—referred to as DarkSide—recently used in a ransomware attack against a critical infrastructure (CI) company.
The cyberattack against Colonial Pipeline that was discovered on May 7 underscores the growing impact of cyberthreats on industrial sectors. While the investigation is ongoing and important lessons from this attack will be extracted in the next few weeks, the fact that Colonial Pipeline had to pro-actively take their OT systems offline after starting to learn about which IT systems were impacted by the ransomware is significant.
Latest Update:
May 11: The FBI confirms that the Darkside ransomware is responsible for the compromise of the Colonial Pipeline networks
May 10: Colonial Pipeline restarted some systems with the goal of substantially restoring operational service by the end of the week
May 9: Colonial Pipeline is is developing a system restart plan
May 7: A ransomware attack against the corporate systems (IT) of Colonial Pipeline led the organization on Friday May 7 to proactively take certain operational systems (OT) offline to contain the threat, which has temporarily halted all pipeline operations. Details on the attack mechanism and the attack scope are under active investigation by the FBI and the private security firm Mandiant (a division of FireEye).
Cybercriminal groups use DarkSide to gain access to a victim’s network to encrypt and exfiltrate data. These groups then threaten to expose data if the victim does not pay the ransom. Groups leveraging DarkSide have recently been targeting organizations across various CI sectors including manufacturing, legal, insurance, healthcare, and energy.
Prevention is the most effective defense against ransomware. It is critical to follow best practices to protect against ransomware attacks, which can be devastating to an individual or organization and recovery may be a difficult process. In addition to the Joint CSA, CISA and FBI urge CI asset owners and operators to review the following resources for best practices on strengthening cybersecurity posture:
CISA and Multi-State Information Sharing and Analysis Center: Joint Ransomware Guide <https://www.cisa.gov/publication/ransomware-guide>

CISA Publish Ransomware Guidance and Resources

Ransomware is an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. Ransomware actors often target and threaten to sell or leak exfiltrated data or authentication information if the ransom is not paid. In recent years, ransomware incidents have become increasingly prevalent among the Nation’s state, local, tribal, and territorial (SLTT) government entities and critical infrastructure organizations.
Malicious actors continue to adjust and evolve their ransomware tactics over time, and CISA analysts remain vigilant in maintaining awareness of ransomware attacks and associated tactics, techniques, and procedures across the country and around the world: See CISA's Awareness Briefings on Combating Ransomware, Joint Ransomware Statement, and CISA Insights – Ransomware Outbreak.
Looking to learn more about this growing cyber threat? The NEW Ransomware Guide is a great place to start. The Guide, released in September 2020, represents a joint effort between CISA and the Multi-State Information Sharing and Analysis Center (MS-ISAC). The joint Ransomware Guide includes industry best practices and a response checklist that can serve as a ransomware-specific addendum to organization cyber incident response plans.
In January 2021, CISA unveiled the Reduce the Risk of Ransomware Campaign to raise awareness and instigate actions to combat this ongoing and evolving threat. The campaign is a focused, coordinated and sustained effort to encourage public and private sector organizations to implement best practices, tools and resources that can help them mitigate ransomware risk.

CISA Launches Campaign to Reduce Risk of Ransomeware

The Cybersecurity and Infrastructure Security Agency (CISA) announced the Reduce the Risk of Ransomware Campaign today, a focused, coordinated and sustained effort to encourage public and private sector organizations to implement best practices, tools and resources that can help them mitigate this cybersecurity risk and threat.
Ransomware is increasingly threatening both public and private networks, causing data loss, privacy concerns, and costing billions of dollars a year. These incidents can severely impact business processes and leave organizations without the data they need to operate and deliver mission-critical services. Malicious actors have adjusted their ransomware tactics over time to include pressuring victims for payment by threatening to release stolen data if they refuse to pay and publicly naming and shaming victims as secondary forms of extortion.
“CISA is committed to working with organization at all levels to protect their networks from the threat of ransomware,” said Brandon Wales, Director (Acting) of CISA. “This includes working collaboratively with our public and private sector partners to understand, develop and share timely information about the varied and disruptive ransomware threats. Anyone can be the victim of ransomware, and so everyone should take steps to protect their systems.”
In this campaign, which will have a particular focus on supporting COVID-19 response organizations and K-12 educational institutions, CISA is working to raise awareness about the importance of combating ransomware as part of an organization’s cybersecurity and data protection best practices. Over the next several months, CISA will use its social media platforms to iterate key behaviors or actions with resource links that can help technical and non-technical partners combat ransomware attacks.
CISA established a new one-stop resource at cisa.gov/ransomware. On this page, interested partners will find four categories of ransomware resources:
- Alerts and Statements: Official CISA updates to help stakeholders guard against the ever-evolving ransomware threat environment. These alerts are geared toward system administrators and other technical staff to bolster their organization’s security posture.
- Guides and Services: Tips and best practices for home users, organizations, and technical staff to guard against the growing ransomware threat.
- Fact Sheets and Infographics: Easy-to-use, straightforward information to help organizations and individuals better understand the threats from and the consequences of a ransomware attack.
- Trainings and Webinars: This information provides technical and non-technical audiences, including managers, business leaders, and technical specialists with an organizational perspective and strategic overview.
Many of the resources on this webpage were developed in collaboration with industry and interagency partners, such as:
- CISA and Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide;
- CISA, Federal Bureau of Investigation (FBI), and Department of Health and Human Services (HHS) Joint Cybersecurity Advisory on Ransomware Activity Targeting the Healthcare and Public Health Sector;
- CISA, FBI, DHS Homeland Security Investigations, and U.S. Secret Service recorded video discussion on Trends and Predictions in Ransomware from the 2020 CISA National Cybersecurity Summit.
- CISA Fact Sheet on Cyber Threats to K-12 Remote Learning Education for non-technical educational professionals with contributions from the FBI.