Scrutinize Files Before Ransomware Runs !!

US Colonial pipeline attack timeline at AVAR2021

The colonial pipeline ransomware attack $5 million paid, stole 100GB of Data, shut down the pipeline and website presence. It was the largest cyberattack on an oil infrastructure target in the history of the United States.

Our team started research on Darkside from an early uprising of the ransomware-as-a-Service operator and tracking all intelligence covered by the R&D center and partnered malware researcher. Since August 2020, the creators of DARKSIDE ransomware and their affiliates have launched a global crime spree affecting organizations in more than 15 countries and multiple industry verticals. They targets medical, government, education, non-profit organizations, and organizations launched shame-wall with extortion. From Virginia to Louisiana, convenience stores and corner gas stations are turning away customers as tanks tap out amid panic buying.

Association of Anti Virus Asia Researchers (AVAR) - The DarkSide of ransomware (Colonial Pipeline attack and other threats)
Speakers - Rohit bankoti and Souhardya Sardar

DarkSide operator use human-operated model of ransomware deployment as other prolific ransomware groups that have plagued businesses in recent years. This means attackers gain access to networks through a variety of methods, including stolen credentials followed by manual hacking techniques and using a variety of system administration or penetration testing tools to perform lateral movement.

The goal is to map the network to identify critical servers, escalate privileges, obtain domain administrative credentials, disable and delete backups, exfiltrate sensitive data and only when the terrain is all set, deploy the ransomware to as many systems as possible in one go.

This careful and methodical approach is much more effective and harder to defend against than ransomware programs that propagate automatically through networks by using built-in routines that might fail and trip detection mechanisms. Dark Side demonstrates modern corporate techniques to lure foot soldiers

A malware developer caled "Woris", who may not have the technical skills to actually create ransomware and darkside operators help them hooked darkside custom payloads into Woris/IABs compromised account for maximizing the ransom profits.

RaaS IAB (Initial Access Brokers (IABs))

IABs provide affiliates with a seemingly infinite pool of potential victims belonging to different geographies and sectors. Affiliates typically buy corporate access from IABs for cheap and then infect those networks with a ransomware product previously obtained by the operators. They allow this business model to continuously feed on new victims cheaply and efficiently, thus making ransomware work increasingly as a corporation rather than a criminal organization.


DarkSide offers customer support, YouTube tutorials and onion website. Services include providing technical support for hackers, negotiating with targets like the publishing company, processing payments, and devising tailored pressure campaigns through blackmail


Introduction to dark side Ransomware
Explanation about attack lifecycle of dark side Ransomware
Entry, Vulnerability, Encryption, Privilege Escalation, Data Exfilitration
Tactics, Techniques and Procedures
Darkside operation workflows such as initial access, stagers, Initiate encryption and Clean up routine
Scrutiny detects darkside sample without rely on signatures
Demonstrate crypto caging process
Simulation and technical analysis of whole darkside operations

Website Reference

US Colonial pipeline attack timeline at AVAR2021


AVAR conducts conferences and conclaves to enable networking and information sharing along with conducted events. They conducted events during the year 2021, When - 2nd to 3rd December 2021

Theme - Cybersecurity in Peril: The Changing State of Threat Actors


Organizing and hosting AVAR annual conference and seminar on anti virus issues.
Providing information on computer virus incidents through Asia on AVAR website.