When hackers hold data hostage

Multi-layered security can better defend against ransomware

Ransomware, a cyberattack in which hackers compromise a network or system and then threaten to damage or shut it down unless they are paid, have doubled in recent years. 

Municipalities, both big and small, are particularly susceptible to such attacks; local IT departments may have limited resources and attackers are continually evolving their methods. 

In 2022, high-profile ransomware attacks hit such diverse targets as NVIDIA; the Costa Rica government; Bernalillo County, New Mexico; the Maryland Department of Health; and Altoona Area School District, Pennsylvania, among many others.

One response has been signature-based threat detection, in which defenders find a unique identifier within a known threat and use it to recognize it in the future. Many anti-virus programs use that process, cataloging known malware. They may catch certain attacks, but some of the more dangerous malware is morphing more rapidly than they can catalog it.

“Malware developers have become very proficient at finding ways to evade traditional signature based anti-virus solutions,” said Joe Richard, cyber resiliency lead for Raytheon Intelligence & Space, a Raytheon Technologies business. “Keeping anti-virus software up to date is good cyber hygiene, but more comprehensive solutions are needed to keep critical information secure.”

A multi-layered, holistic strategy is more effective to defend against ransomware, rather than depending on a single tool.

For example, Raytheon Intelligence & Space has developed a technology called the REDPro ZTX platform, which uses a multi-layered, hardware- and software-based approach to protecting data and systems from malicious cyberattacks.

“You don’t want to put all your eggs in one basket when it comes to protecting your sensitive data,” said Torsten Staab, Raytheon Intelligence & Space REDPro ZTX chief engineer.

Ransomware uses encryption to lock up data on infected computers, then demands payment for its return. Many of these attacks get into systems through phishing emails that lure recipients into clicking a link or double-clicking an attachment disguised as a legitimate file.

“All it takes is one careless employee clicking on a ransomware-infested phishing email to start losing all your data in a matter of seconds,” Staab said.

Sometimes these attacks are highly targeted or in other cases, attackers cast their net wide to capture victims, Richard said.

“In some of these costly ransomware cases against a specific individual or organization, we’ve seen sophisticated social engineering and spearphishing tactics,” he said. “But sometimes, it’s simply through a mass e-mail laced with malware intended to prey off of people’s curiosity. And that’s dangerous because you can’t control what every single employee happens to click on.”

Prevention, not remediation, is the key, according to Staab. “You have to prepare and plan for this in advance,” he said.

It only takes seconds for ransomware to start encrypting gigabytes worth of data, Staab added. To fight it, REDPro combines RI&S’ cybersecurity technologies with industry-leading workload and data security technologies from select industry partners such as Virsec and Racktop Systems. These capabilities use advanced run-time and file system-focused behavioral analytics to detect and defeat ransomware attacks in real-time at multiple levels.

“We can detect and halt a ransomware attack before it can even start to encrypt any data,” Staab said.

REDPro ZTX runs RI&S' Electronic Armor software, which measures and monitors an operating system’s boot and runtime environment. Electronic Armor is based on the Zero Trust principle, which assumes an attacker is already able to do damage. The software can prevent unauthorized access, copying, modification, reverse engineering or deletion of critical software, intellectual property or sensitive data.

“In some industries, they’re still running Windows XP, which Microsoft no longer supports,” Richard said. “Patching the OS is not an option, so there’s a critical need for solutions that can keep these systems operating in a secure state. Electronic Armor can keep these systems secure by authenticating all data and applications before execution and isolating critical software and data from untrusted applications on the system.”

To enable true multi-level Zero Trust Security and defend against any internal and external cyber threats, the REDPro ZTX platform incorporates advanced, multi-layered behavioral analytics and monitoring. This enables the platform to rapidly detect and neutralize potential cyber threats at the user, device, system, application, network, and storage layer and prevents single points of failure.

“If a user works in Human Resources in Virginia and is usually online from 9 to 5, then one day this user logs in from Eastern Europe at 3 a.m. and tries to download files from a Finance-shared drive, REDPro would flag it and intervene in real-time if required,” Staab said. “Every user, system, process, and application poses a potential cyber threat or vulnerability — regardless of their origin, current location or access privileges.”

Richard added, “Our mission is to make sure the organization stays running even while under attack.”