Today, the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) releases an cybersecurity advisory, “DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks.” CISA and FBI are urging critical infrastructure asset owners and operators to adopt a heightened state of awareness and implement the recommendations listed in this advisory.

Recently, DarkSide actors deployed DarkSide ransomware against a U.S. pipeline company’s information technology (IT) network. In response to the cyberattack, the company proactively disconnected certain operational technology (OT) systems to ensure the safety of the system. At this time, there are no indications that the threat actor moved laterally to OT systems.

This joint advisory provides technical details on DarkSide actors and some of their known tactics and preferred targets. According to open-source reporting, DarkSide actors have been targeting multiple large, high-revenue organizations. Also, the actors have previously been observed gaining initial access through phishing, exploiting remotely accessible accounts and systems and virtual desktop infrastructure.

CISA and FBI strongly recommend that critical system owners and operators prioritize reading this advisory and follow recommended mitigation and guidance to help protect against this malicious activity. In addition to the cybersecurity advisory, CISA and FBI urge critical infrastructure asset owners and operators to review the following resources for best practices on strengthening cybersecurity posture:

• Joint Ransomware Guide (CISA and Multi-State Information Sharing and Analysis Center)
• CISA Ransomware Webpage: Ransomware Guidance and Resources
• CISA Insights: Ransomware Outbreak
• CISA Pipeline Cybersecurity Initiative
• CISA Pipeline Cybersecurity Resources Library

Victims of ransomware should report it immediately to CISA, a local FBI Field Office, or a Secret Service Field Office.