With Colonial Pipeline Breach, Some Resources for Health Care Providers on Ransomware Attacks

Situation Report | May 17, 2021

With the recent ransomware attack on Colonial Pipeline — a major supplier of motor and jet fuel that had to shut its entire network after the breach — the state Department of Health (DOH) has provided resources to assist in preventing and responding to similar attacks in health care:

Further background

In May 2021, the FBI received notification that the ransomware variant Darkside had infected a critical infrastructure company in the United States. The FBI has been investigating Darkside since October 2020. Darkside is a ransomware-as-a-service (RaaS) variant, in which criminal affiliates conduct the attacks and the proceeds are shared with the ransomware developer(s). Darkside has impacted numerous organizations across various sectors including manufacturing, legal, insurance, health care, and energy.

After Darkside actors gain access to a victim’s network, they not only deploy the Darkside ransomware to encrypt data, but also exfiltrate victim data and then threaten to publish the data to further pressure the victims into paying the ransom demand.

Darkside can encrypt files on fixed and removable hardware as well as network devices. Darkside encrypts files using Salsa20 encryption with an RSA-1024 public key and affiliates can use Darkside in both Windows and Linux environments.

The FBI Flash report here includes recommended mitigations.