Persons install Spyware

Good business antivirus software can catch older versions of spyware. Most consumers, however, save money on software. Therefore software companies needed to adjust their business model from providing clients with a service to one where the clients are increasingly becoming the product. Lines start to blur when transforming a simple application into one that collects and sells user data with or without user consent. When does the "customer-improved experience" transform into spyware? One company has even made a business model out of it where it reads all emails, tracks all travel, and scrubs all data it can find. To do this, the company made a free operating system for phones, tablets, and computers, a free internet browser, and a free email service.

Avoiding this particular company doesn't solve the problem. Figure 1 shows an idle PC that does plenty of talking. Remove the internet cable, and the PC works just fine. So, what is it talking about, one may ask? Well, it's most likely talking about the user as the "product", not the user as the "client".

Persons install Adware

Adware seems innocent enough. This software tracks your internet browsing history and then uses the information to send you relevant advertisements inside the application or game. At best, this software slows your internet connection speed and your device processor. At worst, it can include spyware or keyloggers that could potentially steal your private data or damage your device.

Persons install VPN software

A VPN was used to encrypt plain text communications between persons and non-SSL DNS lookups as well ensure encrypted browsing, in todays day and age most if not all web pages are HTTPS encrypted, adding a VPN only slows down the browsing experience. As for hiding your identity and protecting your privacy, well as it turns out that an overwhelming number of VPNs are actively harvesting and selling your data, capturing passwords / credentials / movements from your web activities.

Using VPN software is the ideal way to distribute a man-in-the-middle spy-ware as it can easily hijack any https communication and users will even pay money to install and use it.

Using a VPN isn’t going to protect you as it doesn’t matter where you say you reside; everyone knows the IP addresses of the VPN servers and can provide or block content accordingly. Also, a VPN connection doesn’t protect your browsing habits from becoming known. The only thing it does is increase your exposure as your data is now stored in 2 additional locations, at the VPN provider as well as the telecoms provider that hosts the data center of the VPN provider.

Generating viruses requires minimal skills

Viruses are typically disguised as email attachments, images, games, and website URLs and can take over your computer and replicate without user interaction. As a result, sensitive files can be uploaded, corrupted, or deleted. As the virus infects your computer, day-to-day tasks can become difficult or impossible. Some viruses can randomly access and manipulate memory, add unintended features to existing software, or fill up disk space, rendering your computer useless. Antivirus software is unlikely to catch new viruses as they typically lag behind a few days or weeks, as antivirus signatures are generated based on known viruses from infected computers.

As the virus infects your computer, day-to-day tasks can become difficult or impossible. Some viruses can randomly access and manipulate memory, add unintended features to existing software, or fill up disk space, rendering your computer useless.

Antivirus software is unlikely to catch new viruses as they typically lag a few days or even weeks behind as anti-virus signatures are generated based on known viruses from infected computers.

Virus-generating tools understand how antiviruses work and can compile a brand-new virus at the push of a button. These virus packaging tools are offered "strictly for educational and illustrative purposes", of course.

Bad actors lease ransomware at an industrial scale

The newest fashion in computer crime is special software known as crypto-lockers. This software data-mines and encrypts your system and holds your data hostage until you pay a ransom. Typically, victims have to pay to get their files decrypted. Attackers will typically start to blackmail their victims by threatening them in that they will share and sell their private and confidential data if they fail or refuse to do so. Any proceeds made using the ransomware by the attackers will generate a commission for the developers of the malware using the Software as a Service business model.

Like with viruses, these malware developers are not just sitting idle; they constantly update the software to evade detection and are quite successful in doing so. In 2021 IBM claims that 53% of all companies never find out that security has been breached, and it takes an average of 287 days for those companies that do.

You need more than just an antivirus today; prevention is key, as in 2021 the ransomware industry is worth 14 billion US dollars. The average household paying anywhere between 500 to 2000 US dollars to get their files back where corporations typically are charged on average over 110 thousand US dollars. Those who claim that crime doesn't pay probably haven't studied cross-border cybercrime.

Malicious activity, even if detected, does not escalate into a defensive response

First, antivirus software is not an intrusion detection tool. Many users think that Windows protects them; however, previous paragraphs have shown that it doesn't; second, Windows is extremely "user friendly" because it allows attackers to attack endlessly and never takes defensive measures. Figure 4 shows how an automated attack can continue until it eventually succeeds in guessing a valid user/password combination.

Out of the box, Windows comes with a lot of software that enables remote management in one way or another like the known set like Remote Desktop, PowerShell or more exotics like Secure Shell, and Windows Management Instrumentation Command.

Microsoft will just “take note” of successful or failed attempts to connect or execute remote code. It is up to the user to map failed attempts to successful attempts to see if a system was actually successfully compromised.

Outgoing activity is unprotected, this activity or communication isn’t logged anywhere

Any software on your computer can send any data you have to any location that can be reached via the internet. This is quite handy until a user is presented with a link that generates what the industry calls an “Exploitation for Client Execution”. Victims are easily duped as these exploits use software already installed on the client’s machine to execute arbitrary binary code. The most common exploits are:

• Browser- based exploits Web browsers are a common target through what is known as Drive-by Compromise and Spear phishing link. Computers are compromised through normal web browsing or from certain users being targeted by links in spear-phishing emails to adversary-controlled sites used to exploit vulnerabilities in the web browser. These sites often do not require an action by the user for the exploit to be executed; simply visiting a compromised site will suffice.
• Targeting Office Applications Common office and productivity applications such as Microsoft Office are also targeted through Phishing. Malicious files will be transmitted directly as attachments in email or via links to download them. These require the application to preview such a file or for the user to open the document or file for the exploit to run.
• Targeting Common Third-party Applications Applications such as Adobe Reader and Flash, Teams, Skype and Zoom are common in enterprise environments, have been routinely targeted using these techniques in an attempt to gain access to a system. If the user can click any type of link, that can execute any type of action, based on arbitrary data an exploit should be considered possible.

Cybercrime is more profitable than dealing drugs and getting hold of the product is easy

Most are surprised by how little it takes to get started in cybercrime, as you only need a few inexpensive items to get going. At the time of writing this document, awesome, an open-source host, provides access to over 200 ransomware projects for “educational purposes” that will help you get started.

Targeting private individuals and small businesses with impunity

The fact that most police agencies are il equipped, and poorly resourced, forces these agencies to select only more prominent and high-profile cases. This, combined with the fact that private individuals and small businesses do not know and lack the tools to protect themselves, makes them ideal targets for cybercrime.

1. Infrastructure gets attacked from the world wide webby individuals that attack routers via their default username and password as well as remote management configurations. If they really want to get in, then they will get in, and they will use software like RouterSploit or MetaSploit to join your network;
2. Your Wi-Fi network is easily targetedby individuals that attack router via its default username and password as well as remote management configurations. If they really want to get in, then they will get in, and they will use software like RouterSploit or MetaSploit to join your network;
3. Infrastructure gets attacked by its own edge devices like routers and firewalls sounds bizarre right, well it’s the most common exploit used by attackers. A hacker will take over an edge device like a router and use the router to attack the owner of the network from within;
4. You get attacked via your local network using compromised hardware like other computers on the network. The network can be your home or office network but also that cool VPN network;
5. Users get attacked by your IoT devices like a smart thermostat, smart TV’s, smart light bulbs, Air conditioning, even their own phone via that cool app/ game. All these devices have software that is not designed with security in mind and has no anti-virus or firewall on it;
6. Large organizations get attacked all the time via an employee bringing compromised hardware to the workplace or, the user gets compromised themselves when he/she connects to the office.

Any and all devices can be assimilated into a botnet; these botnets then are used to attack better-protected infrastructure.

IDPS REQUIRES NO INTERACTION, SPECIAL SKILLS, TRAINING, OR CERTIFICATION.
SYSTEMS AND USERS ARE ALWAYS PROTECTED

Maintain effective and updated malware strategies

Our exploit database contains tactics and techniques used by cybercriminals based on current attacks. We observe these probes on our honey pot servers, workstations, mobile devices, emails, IoT devices, programmable logic controllers, routers, switches and firewalls that we have distributed for this purpose on the world wide web.

We have also partnered up with external resources that provide us with near-real-time data of endpoints that have been compromised or are used for illicit purposes.

All this data is then bundled, packaged and distributed to our clients that use this near real-time data in our proprietary intrusion detection AI models as well as in the intrusion prevention database.

Malware signature updates

It may be important to note that signature updates flow one way, from VESNX to the IDPS licensed devices. There are several good reasons for it, the 3 most important are:

1. Economics: the investment needed to process the data send by the clients is going to outweigh the benefit of having a larger dataset of mostly duplicate data slowing down the process.
2. Trust: the data coming from a 3rd party needs to be isolated sanitized and classified, the last thing one would like is for a malicious actor to pollute the dataset with false positives.
3. Independence by design:the intrusion detection and prevention modules are designed “to be enriched” and “to be improved on” with data generated by the IDPS client software. All IDPS modules improve their detections in real-time independently of the server infrastructure.

Having low dependency on infrastructure & data dramatically improves the TCO as the infrastructure can easily be taken off-line. If need be, for days, without impacting the quality of the product or reputation of VESNX.

Looking at the unique features of IDPS in a ransomware kill chain

Perhaps, one of the best features of IDPS is the ability to replicate intrusion prevention over the entirety of licensed devices when a malicious actor is detected. It doesn’t mean malware will not be used against our clients’ systems. IDPS will share detected malicious intent with the entire infrastructure sharing a license, effectively halting attacks on other parts of the network.

This feature prevents malicious actors to continually probe the infrastructure as the first failed attempt will trigger a reaction at the operating system level preventing access. This feature isn't offered by any other product on the market.

We will use, what is known in the industry as “the ransomware kill chain”, to explain how VESNX developed IDPS to allow low skill users to be protected from cybercrime.

These individuals produce Software as a Service to facilitate cybercrime including all modules needed displayed in the above image, the Ransomware kill-chain; basically your “Office suite” for cybercriminals.

Developers

VESNX looks on-line at the software that is being offered. We then try and detect any vulnerabilities that can be used to counter any servers hosting this software as well as study ways to prevent the execution of these exploits.

Developers

Develop PEN-Test software that can be used to automate penetration testing as well as automate exploit exposure.

Mitigation

• Use the IDPS honey-pot systems to detect patterns that help identify the software that is used to attack the clients’ system.
• Provide developers with a software developer kit (SDK) that can be used in their own development to detect probes and automatically block and report probes to authorities.
• Aided with Machine Learning, deployed software will continue to learn new attack vectors from "hindsight" of recorded activity independent of the IDPS subscription.

Create new and improve worms, viruses as well as ransomware to avoid detections, periodically use a new obfuscation pattern to avoid anti-virus signature recognition.

• Allow honey-pots (dedicated computers made extra vulnerable) to get infected. This way one can study the changes malware makes when it infects a system and update signatures.
• We will study
  1. whom the malware contacts when infects a system;
  2. whom it gets its instructions from;
  3. and what additional software gets downloaded as well as what that does;
  with this data, we will update the IDPS subscription with rules to prevent execution the software and contacting these servers.
• Study in what ways malware tries to infect other systems in order to recognize infected systems so IDPS can isolate these systems and prevent the spreading in your home or office.

Malware developers typically do not “hack” systems themselves, they just write the software and collect “royalties” on any proceeds made by those using their software.

Scans for individuals, companies, devices and computers that can be targeted. The broker collects and bundles this data and sells it to hackers as well as other bad actors.;

Access Brokers

When malicious activity is detected, mitigation strategies usually involve flagging the reputation of a connection. By putting the connection in a penalty box, any connectivity to and from the attacker is actively blocked, ensuring that all software engaging with this connection is considered potentially compromised. In this way, possible vulnerabilities are not leaked and hostile takeovers of the system are prevented.

Access Brokers

Scan domain names & IP addresses to see what systems are publicly accessible and store this data

Mitigation

• Ensure IDPS blocks the PC replying to BotNets scanning the internet.
• Alter the devices "fingerprint" so that a probe assumes fails to correctly classify the device.
• Alert other devices that share the same license to update the definitions in regards to the connections reputation and block it.
• Communicate to other licensed VESNX software of the intentions of the domains involved in the phising attack.
• Log the attempted scan and notify the internet service provider of the access broker using the IDPS automated abuse report.

Find vulnerable software by scanning any device connected to the internet and map any service or software that can be exploited.

• Detect discovery process and replicate the detection to other licensed IDPS software.
• Answer with a perceived flaw by the IDPS HoneyPot Services and wait for a response.
• Log the attempted scan and notify the internet service provider of the access broker using the IDPS automated abuse report.

Test passwords using a hashing database and brute force techniques to gain access to any device or software connected to the internet.

• Monitor system for failed password attempts on operating system and application level.
• Answer with IDPS HoneyPot Service.
• Communicate to other licensed IDPS software of the intentions of the domains involved in the password attempts ensuring any attempts to communicate will fail.
• Log the attempted scan and notify the internet service provider of the access broker using the IDPS automated abuse report.

Sends phising emails that are used to gain access to a system

• Ensure IDPS blocks PC from opening links from, or connect to IP addresses and domains associated with malware.
• Provide a safe environment to users to open attachments in a SandBoxed IDPS applications like IPS. ExcelGuard, IPS. WordGuard, and the IPS. PdfGuard.
• Log the attempted scan and notify the internet service provider of the access broker using the IDPS automated abuse report.

The primary objective of access brokers is to collect system data and to sell the data to hackers. They might have the skills and the tools to be hackers themselves, however, as they are not seen as the once causing harm, law enforcement typically doesn’t prosecute them making being an access broker a relatively safe job.

Access brokers typically use specialized software that they run on servers leased in data centers or on a large pool of infected computers (botnets) that they buy or rent in the dark web. Reporting the abuse with the internet service provider normally results in the access broker losing access to the infrastructure that’s being used to attack the infrastructure. While this is the only way to stop attacks, we know of no other product that does automated abuse reporting with documented proof of the malicious activity to an internet service provider.

In order for the affiliate model to work with ransomware developers, the developers generate specific code within the ransomware to their affiliates, with a unique identifier embedded within it. This causes the ransom payout to get directed to the affiliate that infected t

These individuals are responsible for entering your systems. They will pay the access broker for the login details and exploit data that enabled them to enter. The prices for the credentials and exposed services will vary. For individuals it is as little as twenty dollars, for larger organizations it could be several thousand.

Hackers/ Affiliates

IDPS will monitor attempts for activity to gain elevated access rights like administrator accounts and look for inter process, local network, and software installation that doesn’t fit the base-line of a given computer.

If a hacker uses a persevered flaw send to a (initial) access broker then the broker is linked to the attacker.

Hackers

Login to a service using compromised user credentials like user name and password or two factor authentication (2FA).

Mitigation

• Make use of IDPS HoneyPot Service to detect unlawful access attempts via previous fake credentials matching the broker to the hacker.
• Prevent, detect, and flag login from location and data-centers that are not pre-approved, normal, or have associated with malicious activity in the past.
• Communicate to other licensed IDPS software of the intentions of the endpoints involved ensuring any attempts to communicate will fail.
• Isolate possible compromised computers if access was obtained.
• Notify the user in regards to the compromised service and device.
• Log the attempted scan and notify the internet service provider of the access broker using the IDPS automated abuse report.

Connect via TORor a CONNECT_VIA_TOR_B to connect to the victim’s system in an attempt to hide his location and identity.

• Block access to a IDPS guarded system by always blocking incoming TOR and commercial VPN connections.
• Log the attempted scan and notify the internet service provider of the access broker using the IDPS automated abuse report.

Join a WIFI/ LAN network whenever possible as access from the same network bypasses most, if not all defensive measures.

• Detect WPS cracking attempts using a physical IDPS router.
• Detect man-in-the-middle attacks and ARP poisoning by monitoring network topology.
• Place infected systems in a Penalty Box avoiding getting infected or breached.
• Notify the user and inform that a security breach was detected as well as make recommendations on how to react.
• Power down the system after communicating to other licensed IDPS devices and software ensuring any attempts to encrypt drives and infect other devices will fail.

Bypass the perceived SSL security by injecting a fake gateway and record all HTTPS data in clear text.

• IDPS will detect the change in gateway service generated by ARP poisoning and block the “poisoned” computer.
• Notify the user and inform that a security breach was detected as well as make recommendations on how to react.

Use a VPN to extract data to an external service and hide data transfer

• IDPS detects the additional IP address generated by the VPN and notify the user.
• IDPS can disable the network adapter disconnecting the VPN.
• IDPS will notify other licensed devices and isolate itself preventing it from infecting or compromising other devices.

Use a de-authentication attackto force devices to re-connect and record access tokens and credentials

• IDPS will verify that the challenge came from the same device as the device last recorded.
• IDPS will notify the user and inform that a security breach was detected as well as make recommendations on how to react.
• DE_AUTHENTICATION_ATTACK_c

Install key logger Install key logger

• IDPS detect software that is talking and compare this with the normal software and endpoints.
• IDPS will notify the user and inform that a security breach was detected as well as make recommendations on how to react.
• IDPS will notify other licensed devices and isolate itself preventing it from infecting or compromising other devices.

In a perfect scenario, a hacker would try to obtain administrator credentials or even create an administrator account. Once the hacker has an account with enough rights to connect to other devices and install software on them, the network becomes under the hacker's control. Hackers usually wait until off-site and on-site backups contain the exploits and backdoors before they proceed.

Here, the hacker passes the login credentials and ways to access the systems to a group of data managers in order to steal data, install malware, and encrypt data with ransomware.

To understand what the extracted data might mean to the victim, it is necessary to categorize and catalog it. Using your data in extortion activities and reselling it to third parties in order to maximize profits is your responsibility as a data manager. For example, extended login credentials, credit card databases, and others are packaged in such a way to maximize leverage for ransom.

Data Managers

IDPS makes use of the operating systems policy management objects to enable it to monitor permissions and detect illicit access patterns.

Data Managers

Use the hacker’s data to upload small amounts of sample data to proof to the victim that the hack is real.

Mitigation

• Use IDPS to catalog the effective file permission on a user’s account.
• Isolate computers and accounts that look to have been compromised.
• IDPS will notify the user and inform that a security breach was detected as well as make recommendations on how to react..
• IDPS will notify other licensed devices and isolate itself preventing it from infecting or compromising other devices.

Change all user accounts, so no one can access unaffected systems or recover data.

• Use the IDPS LDAP SandBox to host a fake and easy to crack user management to detect tampering
• Use IDPS to log changed permissions on live systems.
• Shutdown/kill processes of an affected system if bulk changes are detected
IDPS will notify the user and inform that a security breach was detected as well as make recommendations on how to react.
• IDPS will notify other licensed devices and isolate itself preventing it from infecting or compromising other devices.

• Use the IDPS LDAP sandbox to host a fake and easy to crack user management to detect tampering.
• IDPS will disable the account on the network preventing the compromised user to exploit the other systems.
• IDPS will notify the user and inform that a security breach was detected as well as make recommendations on how to react.
• IDPS will notify other licensed devices and isolate itself preventing it from infecting or compromising other devices.

Bundle the data to "blackmail packages"" so that these can be monetized

• Use IDPS reports to generate exposure reports so you can see what they might have.
• Use IDPS file access auditing to monitor erratic file access by a process and alert or shutdown the process if detected.

Data managers will obtain the systems as well as the credentials to access these systems from hackers/ affiliates. They then use this software to get paid. These cybercriminals are after the money, if the victims do not pay within a certain time they typically sell the data on to the group called Negotiators and Chasers.

It is important for IDPS to detect attackers early, if data is ex-filtrated the only option is to minimize harm. Please note that some incident managers will, in coordination with the owners, allow the incident to continue for forensics reasons. Please contact support@vesnx.com if you are compromised

When it comes to ransomware, a negotiator is someone who is specialized in getting the victims to pay a ransom in order to unlock locked systems. In order to offer the victims a round-the-clock service by getting them to pay, the negotiators are probably working in shifts.

Chasers perform the same as the negotiators. They are usually less accommodating and will start threatening that if you do not pay and restore your system, they will keep attacking you and continue taking your systems down.

Negotiators Chasers

We do not negotiate with ransomware teams. There are services that specialize in negotiating a lower ransom. We feel that these services do not deliver what they claim, especially when you consider the fee charged. These companies can't negotiate on your behalf without you getting involved (sometimes paying ransom is illegal) and can't guarantee the payment will be lower than what you can negotiate yourself, or that the stolen data won't get sold on the dark web.

Negotiators and Chasers

Negotiators & chasers will try and buy or take-over an active ransom exploit and ensure everyone in the kill chain gets paid.

Mitigation

CHASERS__ACTIVITIES_A

Locked screen of an infected PC

The chat window of ransomware group

We do offer preventive consulting services like malware removal. As far as IDPS is concerned, if you already have a system that has been infected, then there isn't much that it can do for you.

A summary on the ransomware kill chain

The strategy of an antivirus is to protect the user from opening documents that contain malicious code, in this section, we demonstrated that detection and prevention is key. Any attempt should be made to stop malicious activity before bad actors have gained a physical presence on a system.

Any attempt to remotely control a system, when detected, should isolate the source as it is the only viable option to halt or minimize the effects that such activity will have. Antiviruses do not do that.