Mitigating Ransomware in the Energy and Healthcare Sectors through Layered Defense Strategies

Sarah Mavire¹, Kumbirai Bernard Muhwati², Naga Kota³, & Joy Adesina Awoleye⁴
¹²³⁴Department of Cybersecurity, Yeshiva University, New York, USA
DOI – http://doi.org/10.37502/IJSMR.2025.8609

Abstract

Ransomware attacks have escalated in frequency, scale, and sophistication, posing a serious threat to critical infrastructure sectors, particularly the energy and healthcare. These sectors are uniquely vulnerable due to legacy systems, high interconnectivity between operational and informational technologies, and the life-critical nature of services they provide. This paper explores a layered defense approach tailored to mitigating ransomware threats in these high-impact environments. Drawing from real-world case studies, such as the Colonial Pipeline and WannaCry incidents and leveraging cybersecurity frameworks like NIST and MITRE ATT&CK for ICS, we propose a multi-tiered defense-in depth model. The framework integrates network segmentation, endpoint detection and response (EDR), behavioral analytics, offline backups, access controls, and tailored incident response playbooks. Simulated ransomware infection scenarios are used to evaluate the effectiveness of each defense layer, with results indicating significant improvements in detection, containment, and recovery. This research offers a sector-specific, practical roadmap for enhancing ransomware resilience and provides actionable recommendations for cybersecurity teams protecting critical services.

Keywords: Ransomware, ICS, Legacy systems, Layered Defense Strategies, Energy Sector, Healthcare Sector, MITTRE ATT%CK, NIST CFS.

References

AADA (2023). AADA Whitepaper. September 2023. Retrieved from: https://www.aada.org/ransomware-lifecycle.
&. K. D. Benestelli, (July 18, 2022). IT, OT, and ZT: Implementing Zero Trust in Industrial Control Systems. Carnegie Mellon University, Software Engineering Institute’s Insights.
Bing, C., & Kelly, S. (May 8, 2021). Cyber Attack Shuts Down Top U.S. Fuel Pipeline Network. Reuters.
Caviglione L. (2021). Cyber reconnaissance techniques. Communications of the ACM, 64(3), 86-95, 2021.
Chappell, B., & Neuman, S. (December 19, 2017). U.S. Says North Korea ‘Directly Responsible’ For WannaCry Ransomware Attack. NPR. Retrieved 2 May, 2025.
CISA (May 2018). Cybersecurity and Infrastructure Security Agency. Available: https://www.cisa.gov/ransomware. [Accessed 6 May 2035].
Cybersecurity and Infrastructure Security Agency (2020) CISA MS-ISAC Ransomware Guide. Retrieved: https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware_Guide_S508C. 4 May 2025.
Cybersecurity and Infrastructure Security Agency (2021). Conti Ransomware. 1-2, 7 May 2021.
Cybersecurity and Infrastructure Security Agency (2021). Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. CISA.
Cybersecurity and Infrastructure Security Agency (2022). Layering network security segmentation. CISA.
Cybersecurity and Infrastructure Security Agency (2023). Zero Trust Maturity Model Version 2.0. 2023. Available: https://www.cisa.gov/sites/default/files/2023-04/zero_trust_maturity_model_v2_508.pd. [Accessed 10 May 2025].
Cybersecurity and Infrastructure Security Agency (2025). Indicators Associated with WannaCry Ransomware,” CISA.
Department of Health and Human Service (2020). Ryuk Update. 3-5, May 10 2020.
Department of Health and Human Services (2021). Prepare, React, and Recover from Ransomware. Department of Health and Human Services.
Doe S. K. (2023). Evaluating access control effectiveness against ransomware lateral movement. Journal of Computers & Security, 101, 55-65.
Fisher, B., Souppaya, M., Barker, W., & Scarfone, K. (2022),. Ransomware risk management: A cybersecurity framework profile. NIST, 8374(1), 15–20.
B. Adelusi (2023) Network Segmentation Approaches for Improved Security in Digital Systems. ResearchGate.
Jack Beerman; David Berent; Zach Falter; Suman Bhunia (May 1–4, 2023). A Review of Colonial Pipeline Ransomware Attack. 2023 IEEE/ACM 23rd International Symposium on Cluster, Cloud and Internet Computing Workshops (CCGridW). Bangalore, India: IEEE. doi:10.1109/CCGridW59191.2023.00017. Retrieved May 27, 2025.
Johnston W. C. (2023). Continuous monitoring and advanced behavioral analytics for lateral movement detection in enterprise networks. IEEE Transactions on Information Forensics and Security, 18(5), 1452-1465.
Jones R. (2023). Operationalizing the MITRE ATT&CK® for ICS: Lessons from energy and healthcare sectors. Journal of Cybersecurity Practice, 18(2), 30-34.
Jones, D., Miller, T., & Carter, R., (2023). The evolution of ransomware: From opportunistic attacks to organized cyber extortion. Journal of Cyber Threat Studies, 18(2), 12-27.
Krombholz W. E. et al. (2015). Advanced social engineering attacks. Journal of Information Security and Applications, 22, 113-122.
Kumar & Ramlie R (2020). Enhancing ICS security: Integrating the MITRE ATT&CK® framework with layered defense strategies. Journal of Industrial Cybersecurity, 20(8), 45-48.
Kumar & Ramlie R (2023). Double Extortion In Ransomware Attacks: Escalating Pressures In Digital Extortion. Journal of Cyber Threat Studies, 20(3), 40-57.
Kumar & Ramlie R 2021, Anatomy of Ransomware: Attack Stages, Patterns and Handling Techniques. Advances in Intelligent Systems and Computing, vol. 1321, 205-214.
Marquardt, A., Perez, E., & Cohen, Z. (June 7, 2021). First on CNN: US recovers millions in cryptocurrency paid to Colonial Pipeline ransomware hackers | CNN Politics. CNN. Retrieved May 16, 2025.
MITRE, “MITRE ATT&CK® for Industrial Control Systems (ICS),” MITRE Corporation, 6 May 2025. [Online]. Available: https://attack.mitre.org/mitigations/M0930/. [Accessed 6 May 2025].
Särökaari, Phishing attacks and mitigation tactics, University of Jyväskylä, Finland.: Master’s Thesis, 2020.
National Institute of Standards and Technology, “Mapping NIST SP 800-53 Controls for Integrated Cyber Defense,” NIST, 2025.
National Institute of Standards and Technology, The NIST Cybersecurity Framework (CSF) 2.0, U.S. Department of Commerce, 2024.
National Institute of Standards and Technology., “Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile [NIST SP 800-61r3],” NIST, 2025.
NIST (2022) “Guide to a Secure Enterprise Network Landscape (NIST SP 800-215),” 2022. [Online]. Available: <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-215.pdf>. [Accessed 11 May 2025].
QNAP, “QNAP,” 2022. [Online]. Available: https://www.qnap.com/en/security-advisory/qsa-22-02. [Accessed 6 May 2025].
Sanger, David; Krauss, Clifford; Perlroth, Nicole (May 8, 2021). “Cyberattack Forces a Shutdown of a Top U.S. Pipeline”. New York Times. Archived from the original on May 8, 2021. Retrieved May 8, 2021.
Segers, Grace (May 8, 2021). Cyberattack Prompts Major Pipeline Operator to Halt Operations. CBS News. Retrieved May 8, 2025.
Smith W (2022). Ransomware variants: Cryptographic and lockdown mechanisms in modern cyberattacks. International Journal of Cybersecurity, 12(1) 30-45.
TechCrunch (2019). Two Years after Wannacry, A Million Computers Remain At Risk. TechCrunch. 12 May 2019.
Thomas, A., Grove, T., & Gross, J. (13 May 2017). More Cyberattack Victims Emerge as Agencies Search for Clues. The Wall Street Journal. ISSN 0099-9660. Retrieved May 14 2025.
S. Department of Health and Human Service (2023). Secure health data: Strengthening offline backups to prevent ransomware impact. January 23 2023. Available: <https://www.hhs.gov/about/news/2023/01/secure-health-data.html>. [Accessed 7 May 2025].
Ungoed-Thomas, J., Henry, R., & Gadher, D. (14 May 2017). Cyber-attack guides promoted on YouTube. The Sunday Times. Retrieved May 14, 2025
Veritas (2025). The Comprehensive Ransomware Guide with Veritas. 14-16.
Verizon Business. (2024). 2024 Data Breach Investigations Report (17th ed.) Basking Ridge, NJ: Verizon Business. https://www.verizon.com/business/resources/T3f3/reports/2024-dbir-data-breach-investigations-report.pdf. 5-7
Walsh, Joe. Ransomware Attack Shuts Down Massive East Coast Gasoline Pipeline. Forbes. Retrieved May 16, 2025.
Zscaler ThreatLabZ, “Ransomware delivered using RDP brute‐force attack,” 2021. Accessed May 6, 2025.
Zscaler, Inc. (2024). Zscaler ThreatLabz 2024 Ransomware Report. San Jose, CA: Zscaler, Inc. Retrieved from https://assets.starlinkme.net/gitex-vendor-assets/zscaler/threatlabz-ransomware-report.pdf. 3–4