Ransomware attacks have led many healthcare hospitals to migrate back to their traditional methods of monitoring patients using pen and paper instead of using implantable medical devices remotely. Studying the behaviour of payload ransomware on an approved actual healthcare dataset obtained from ICU and correctly clustering them into normal and malicious records after manifestation is the primary focus of this study. The features decided were upon the possibility of being captured remotely and their frequency of occurrences. Data transformation was included, to handle the encrypted values and perform data normalization, prior to the clustering process.

Unsupervised machine learning gained a lot of attention in the cybersecurity domain for its efficiency and capability of clustering tuples into malicious and benign categories. However, on the internet of medical things (IoMT), due to the constraints of the interconnected nodes, clustering of malicious activities became highly challenging and demanded to secure the infrastructure. This work used unsupervised machine learning techniques of k-means, DBscan, and mean shift compared to a threshold-based method which outperformed them with a precision of 100%. The performance metrics used in this work are; precision, recall, and f1score.