When hackers hold data hostage

Multi-layered security can better defend against ransomware

It's extortion, and it can cripple the operations of local governments, schools or corporations.

The cyberattacks known as ransomware, in which hackers compromise a network or system and then threaten to damage or shut it down unless they are paid, have doubled in the past year, according to the StateScoop news group. Municipalities, both big and small, are particularly susceptible to such attacks; local IT departments may have limited resources and attackers are continually evolving their methods. In 2019, high-profile ransomware attacks hit Atlanta, Baltimore and 23 towns in Texas.

One response has been signature-based threat detection, in which defenders find a unique identifier within a known threat and use it to recognize it in the future. Many anti-virus programs use that process, cataloging known malware. They may catch certain attacks, but some of the more dangerous malware is morphing more rapidly than they can catalog it.

“Malware developers have become very proficient at finding ways to evade traditional signature based anti-virus solutions,” said Joe Richard, cyber resiliency lead for Raytheon Intelligence & Space, one of the four businesses that form Raytheon Technologies. “Keeping anti-virus software up to date is good cyber hygiene, but more comprehensive solutions are needed to keep critical information secure.”

A multi-layered, holistic strategy is more effective to defend against ransomware, rather than depending on a single tool.

For example, Raytheon Intelligence & Space has developed a technology called the REDPro platform, which uses a multi-layered, hardware- and software-based approach to protecting data and systems from malicious cyberattacks.

“You don’t want to put all your eggs in one basket when it comes to protecting your sensitive data,” said Torsten Staab, Raytheon Intelligence & Space REDPro chief engineer.

Ransomware uses encryption to lock up data on infected computers, then demands payment for its return. Many of these attacks get into systems through phishing emails that lure recipients into clicking a link or double-clicking an attachment disguised as a legitimate file.

“All it takes is one careless employee clicking on a ransomware-infested phishing email to start losing all your data in a matter of seconds,” Staab said.

Sometimes these attacks are highly targeted or in other cases, attackers cast their net wide to capture victims, Richard said.

“In some of these costly ransomware cases against a specific individual or organization, we’ve seen sophisticated social engineering and spearphishing tactics,” he said. “But sometimes, it’s simply through a mass e-mail laced with malware intended to prey off of people’s curiosity. And that’s dangerous because you can’t control what every single employee happens to click on.”

Prevention, not remediation, is the key, according to Staab. “You have to prepare and plan for this in advance,” he said.

It only takes seconds for ransomware to start encrypting gigabytes worth of data, Staab added. To fight it, REDPro combines RI&S’ cybersecurity technologies with tech from select industry partners such as the company Virsec. It offers a real-time monitoring tool to detect anomalies in a system’s behavior and stop an attack.

“We can detect and halt a ransomware attack before it can even start to encrypt any data,” Staab said.

REDPro runs Raytheon Intelligence & Space's Electronic Armor software, which measures and monitors an operating system’s boot and runtime environment. Electronic Armor is based on the Zero Trust principle, which assumes an attacker is already in a position to do damage. The software can prevent unauthorized access, copying, modification, reverse engineering or deletion of critical software, intellectual property or sensitive data.

“In some industries, they’re still running Windows XP, which Microsoft no longer supports,” Richard said. “Patching the OS is not an option, so there’s a critical need for solutions that can keep these systems operating in a secure state.  Electronic Armor can keep these systems secure by authenticating all data and applications before execution and isolating critical software and data from untrusted applications on the system.”

“Our mission is to make sure the organization stays running even while under attack,” Richard said.

The platform also incorporates user, process, and storage behavioral analytics, which detects and neutralizes suspicious and malicious user activities, system services, applications, and storage media access.

“If a user works in Human Resources in Virginia and is usually online from 9 to 5, then one day this user logs in from Eastern Europe at 3 a.m. and tries to download files from a Finance-shared drive, REDPro would flag it and intervene in real-time if required,” Staab said. “Every user, system, process, and application poses a potential cyber threat or vulnerability — regardless of their origin, current location or access privileges.”