US Colonial pipeline attack timeline at AVAR2021

The colonial pipeline ransomware attacks $5 million paid, stole 100GB of Data, shut down the pipeline and website presence. It was the largest Cyberattack on an oil infrastructure target in the history of the United States.

Our team started research on Darkside from an early uprising of the ransomware-as-a-Service operator and tracking all intelligence covered by the R&D center and partnered malware researcher. Since August 2020, the creators of DARKSIDE ransomware and their affiliates have launched a global crime spree affecting organizations in more than 15 countries and multiple industry verticals. They target medical, government, education, non-profit organizations, and organizations that launched “WALL of SHAME” with extortion. From Virginia to Louisiana, convenience stores and corner gas stations are turning away customers as tanks tap out amid panic buying.

DarkSide operator use human-operated model of ransomware deployment as other prolific ransomware groups that have plagued businesses in recent years. This means attackers gain access to networks through a variety of methods, including stolen credentials followed by manual hacking techniques and using a variety of system administration or penetration testing tools to perform lateral movement.

This careful and methodical approach is much more effective and harder to defend against than ransomware programs that propagate automatically through networks by using built-in routines that might fail and trip detection mechanisms. Dark Side demonstrates modern corporate techniques to lure foot soldiers

A malware developer called “Woris”, who may not have the technical skills to actually create ransomware and darkside operators help them hooked darkside custom payloads into Woris/IABs compromised account for maximizing the ransom profits.

RaaS IAB (Initial Access Brokers (IABs))

IABs provide affiliates with a seemingly infinite pool of potential victims belonging to different geographies and sectors. Affiliates typically buy corporate access from IABs for cheap and then infect those networks with a ransomware product previously obtained by the operators. They allow this business model to continuously feed on new victims cheaply and efficiently, thus making ransomware work increasingly as a corporation rather than a criminal organization.


  • DarkSide offers customer support, YouTube tutorials and onion website.
  • Services include providing technical support for hackers, negotiating with targets like the publishing company, processing payments, and devising tailored pressure campaigns through blackmail


  • Introduction to dark side Ransomware
  • Explanation about attack lifecycle of dark side Ransomware
  • Entry, Vulnerability, Encryption, Privilege Escalation, Data Exfiltration
  • Tactics, Techniques and Procedures
  • Dark side operation workflows such as initial access, stagers, Initiate encryption and Clean up routine
  • Scrutiny detects dark side sample without relying on signatures
  • Demonstrate crypto caging process
  • Simulation and technical analysis of whole dark side operations


The goal is to map the network to identify critical servers, escalate privileges, obtain domain administrative credentials, disable and delete backups, Exfiltration sensitive data and only when the terrain is all set, deploy the ransomware to as many systems as possible in one go

Author : Rohit Bankoti is Founder and COO at Cyberstanc. He spoke at AVAR 2021 Virtual on ‘The DarkSide of ransomware (Colonial Pipeline attack and other threats)’.
Co-Author : Souhardya Sardar is a Senior-Developer at Cyberstanc.  

Comments are closed.