Digital integration within healthcare systems exacerbates their vulnerability to sophisticated ransomware threats, leading to severe operational disruptions and data breaches. Current defenses are typically categorized into active and passive measures that struggle to achieve comprehensive threat mitigation and often lack real-time response effectiveness. This paper presents an innovative ransomware defense system, ERAD, designed for healthcare environments that apply the MITRE ATT&CK Matrix to coordinate dynamic, stage-specific countermeasures throughout the ransomware attack lifecycle. By systematically identifying and addressing threats based on indicators of compromise (IOCs), the proposed system proactively disrupts the attack chain before serious damage occurs. Validation is provided through a detailed analysis of a system deployment against LockBit 3.0 ransomware, illustrating significant enhancements in mitigating the impact of the attack, reducing the cost of recovery, and strengthening the cybersecurity framework of healthcare organizations, but also applicable to other non-health sectors of the business world.
References
[1]
Gagneja, K.K. (2017) Knowing the Ransomware and Building Defense against It—Specific to Healthcare Institutes. 2017 Third International Conference on Mobile and Secure Services (MobiSecServ), Miami Beach, 11-12 February 2017, 1-5. https://doi.org/10.1109/MOBISECSERV.2017.7886569
[2]
Neprash, H.T., et al. (2022) Trends in Ransomware Attacks on US Hospitals, Clinics, and Other Health Care Delivery Organizations, 2016-2021. JAMA Health Forum, 3, e224873. https://doi.org/10.1001/jamahealthforum.2022.4873
[3]
Mahendru, P. (2023) The State of Ransomware in Healthcare 2023. Sophos News. https://news.sophos.com/en-us/2023/08/10/the-state-of-ransomware-in-healthcare-2023/
[4]
Thamer, N. and Alubady, R. (2021) A Survey of Ransomware Attacks for Healthcare Systems: Risks, Challenges, Solutions and Opportunity of Research. 2021 1st Babylon International Conference on Information Technology and Science (BICITS), Babil, 28-29 April 2021, 210-216. https://doi.org/10.1109/BICITS51482.2021.9509877
[5]
Nikki, S., et al. (2018) Ransomware in Healthcare Facilities: A Harbinger of the Future? Perspectives in Health Information Management, 15,1-22. https://www.proquest.com/scholarly-journals/ransomware-healthcare-facilities-harbinger-future/docview/2111721098/se-2
[6]
Bhosale, K.S., Nenova M. and Iliev, G. (2021) A Study of Cyber Attacks: In the Healthcare Sector. 2021 Sixth Junior Conference on Lighting (Lighting), Gabrovo, 23-25 September 2021, 1-6. https://doi.org/10.1109/Lighting49406.2021.9598947
[7]
Mohamad Al-Aboosi, A.M., Huda Sheikh Abdullah, S.N., Murah, M.Z. and Al Dharhani, G.S. (2022) Cybersecurity Trends in Health Information Systems. 2022 International Conference on Cyber Resilience (ICCR), Dubai, 6-7 October 2022, 1-4. https://doi.org/10.1109/ICCR56254.2022.9995952
[8]
Kelly, W.H., et al. (2023) Triumph Over Adversity: Unlocking Optimal Trauma Outcomes during Healthcare Ransomware Attacks. Injury, 54, Article 111046. https://doi.org/10.1016/j.injury.2023.111046
[9]
Strom, B., Applebaum, A., Miller, D., Nickels, K., Pennington, A. and Thomas, C. (2018) MITRE ATT&CK®: Design and Philosophy. https://www.mitre.org/sites/default/files/2021-11/prs-19-01075-28-mitre-attack-design-and-philosophy.pdf
Office of Information Security and Health Sector Cybersecurity Coordination Center (2024) Ransomware & Healthcare. https://www.hhs.gov/sites/default/files/ransomware-healthcare.pdf
[12]
Frati, F., Darau, G., Salamanos, N., et al. (2024) Cybersecurity Training and Healthcare: The AERAS Approach. International Journal of Information Security, 23, 1527-1539. https://doi.org/10.1007/s10207-023-00802-y
[13]
Adam, S. (2024) The Impact of Compromised Backups on Ransomware Outcomes. Sophos News. https://news.sophos.com/en-us/2024/03/26/the-impact-of-compromised-backups-on-ransomware-outcomes/
[14]
Maigida, A.M., Abdulhamid, S.M., Olalere, M., Alhassan, J.K., Chiroma, H. and Dada, E.G. (2019) Systematic Literature Review and Metadata Analysis of Ransomware Attacks and Detection Mechanisms. Journal of Reliable Intelligent Environments, 5, 67-89. https://doi.org/10.1007/s40860-019-00080-3
[15]
Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L. and Kirda, E. (2015) Cutting the Gordian Knot: A Look under the Hood of Ransomware Attacks. Detection of Intrusions and Malware, and Vulnerability Assessment, Milan, 9-10 July 2015, 3-24. https://doi.org/10.1007/978-3-319-20550-2_1
[16]
Andronio, N., Zanero, S. and Maggi, F. (2015) HELDROID: Dissecting and Detecting Mobile Ransomware. Research in Attacks, Intrusions, and Defenses, Kyoto, 2-4 November 2015, 382-404. https://doi.org/10.1007/978-3-319-26362-5_18
[17]
Kolodenker, E., Koch, W., Stringhini, G. and Egele, M. (2017) PayBreak: Defense against Cryptographic Ransomware. Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, Abu Dhabi, 2-6 April 2017, 599-611. https://doi.org/10.1145/3052973.3053035
[18]
Pauli, D. (2015) Kaspersky Announces ‘Death’ of Coinvault, Bitcryptor Ransomware. https://www.theregister.com/2015/11/02/kaspersky_announces_death_of_coinvault_bitcryptor_ransomware/
[19]
Office of Public Affairs (2024) U.S. and U.K. Disrupt LockBit Ransomware Variant. United States Department of Justice. https://www.justice.gov/opa/pr/us-and-uk-disrupt-lockbit-ransomware-variant
[20]
The Impact of Ransomware on Patient Safety and the Value of Cybersecurity Benchmarking. Censinet. https://www.censinet.com/
[21]
Mckeon, J. (2022) HHS Warns Healthcare Sector of LockBit 3.0, BlackCat Ransomware. Health IT Security. https://healthitsecurity.com/news/hhs-warns-healthcare-sector-of-lockbit-3.0-blackcat-ransomware
Cyber Announcement-Carthage Area Hospital. https://www.carthagehospital.com/cyber-announcement/
[26]
Cyber Announcement. Claxton-Hepburn Medical Center. https://www.claxtonhepburn.org/corporate-compliance/cyber-announcement/
[27]
Greig, J. (2023) Upstate New York Nonprofit Hospitals Still Facing Issues after LockBit Ransomware Attack. https://therecord.media/upstate-new-york-hospitals-ransomware-attack
[28]
Global Edition and Privacy & Security (2023) New York Community Hospitals Still Impacted by Lockbit Attack, Weeks Later. Healthcare IT News. https://www.healthcareitnews.com/news/new-york-community-hospitals-still-impacted-lockbit-attack-weeks-later
[29]
Kok, S.H., Abdullah, A. and Jhanjhi, N. (2020) Early Detection of Crypto-Ransomware Using Pre-Encryption Detection Algorithm. Journal of King Saud University-Computer and Information Sciences, 34, 1984-1999. https://doi.org/10.1016/j.jksuci.2020.06.012
[30]
Khammas, B.M. (2020) Ransomware Detection Using Random Forest Technique. ICT Express, 6, 325-331. https://doi.org/10.1016/j.icte.2020.11.001 .
[31]
Homayoun, S., Dehghantanha, A., Ahmadzadeh, M., Hashemi, S. and Khayami, R. (2020) Know Abnormal, Find Evil: Frequent Pattern Mining for Ransomware Threat Hunting and Intelligence. IEEE Transactions on Emerging Topics in Computing, 8, 341-351. https://doi.org/10.1109/TETC.2017.2756908
[32]
Mohaisen, A., Alrawi, O. and Mohaisen, M. (2015) AMAL: High-Fidelity, Behavior-Based Automated Malware Analysis and Classification. Computers & Security, 52, 251-266. https://doi.org/10.1016/j.cose.2015.04.001
[33]
Gangwar, K., Mohanty, S. and Mohapatra, A.K. (2018) Analysis and Detection of Ransomware through Its Delivery Methods. Data Science and Analytics, Gurgaon, 13-14 October 2017, 353-362. https://doi.org/10.1007/978-981-10-8527-7_29
[34]
Roy, K.C. and Chen, Q. (2020) DeepRan: Attention-Based BiLSTM and CRF for Ransomware Early Detection and Classification. Information Systems Frontiers, 23, 299-315. https://doi.org/10.1007/s10796-020-10017-4
[35]
Cabaj, K., Gregorczyk, M. and Mazurczyk, W. (2018) Software-Defined Networking-Based Crypto Ransomware Detection Using HTTP Traffic Characteristics. Computers & Electrical Engineering, 66, 353-368. https://doi.org/10.1016/j.compeleceng.2017.10.012
[36]
Alhawi, O.M.K., Baldwin, J. and Dehghantanha, A. (2018) Leveraging Machine Learning Techniques for Windows Ransomware Network Traffic Detection. In: Dehghantanha, A., Conti, M. and Dargahi, T., Eds., Cyber Threat Intelligence, Springer, Cham, 93-106. https://doi.org/10.1007/978-3-319-73951-9_5
[37]
Intel® Threat Detection Technology: Better Protect Your PC Fleet from Advanced Cyberattacks. https://www.intel.com/content/www/us/en/architecture-and-technology/vpro/hardware-shield/threat-detection-technology.html
[38]
Mehnaz, S., Mudgerikar, A. and Bertino, E. (2018) RWGuard: A Real-Time Detection System against Cryptographic Ransomware. Research in Attacks, Intrusions, and Defenses, Heraklion, Crete, 10-12 September 2018, 114-136. https://doi.org/10.1007/978-3-030-00470-5_6
