Understanding impacts of a ransomware on medical and health facilities by utilizing LockBit as a case study

Abstract

AbstractAll forms of data are meant to be secured. The emergence of a variety of techniques and tactics utilized by malware authors has made recovery difficult. LockBit ransomware has been in the news and the APT behind deployment of this ransomware virus has compromised several organizations. It is important to understand the behavior of such malware, to identify the anti‐analysis stuff it performs and to block it. The APT involved compromised several health and medical facilities including AIIMS in India and Sick Kids Hospital in Canada. Ransomwares are highly impactful family of malware. Impacts may begin from confidential medical information being harvested over a C2 and can go up to rendering medical equipment useless. This article discusses compromised entities and defending strategies that can be used to block LockBit ransomware using any generic SIEM tool. It also explains the need for tools that can survive ransomware encryption, a restart command‐line and can detect the behavioral patterns of such malware. Several samples were collected from various sources; the identities of compromise were collected from strings and behavior of those samples. Several detection mechanisms including YARA, SNORT, and generic HUNT rules have also been discussed.