Ransomware Detection Using Machine Learning: Design, Analysis, and Review of Frameworks

Abstract

Ransomware has become one of the most widespread and harmful types of cybercrime, disabling organizations and encrypting important data, which they then have to pay a ransom. As ransomware types are rapidly evolving, there is a growing degree to which signature-based techniques are ineffective. Machine learning (ML), and its capacity to learn based on patterns and to identify deviations, is a potentially effective solution to early detection and countermeasures of ransomware attacks. In this paper, a review of ransomware detection frameworks that use machine learning has been presented extensively. It studies both the analysis of the file (its features, sequences of opcodes), the analysis of the system (its behaviour, API calls, changes to registries), and a combination of both (hybrid methods). The accuracy, scalability and obfuscation resistance such as decision tree, random forest, support vector machine (SVM), and deep learning models consisting of CNNs and LSTMs are benchmarked. In this paper, the authors give the benefits of the ML-based detection, such as adaptive learning, reduced signature requirements, and zero-day ransomware, but also highlight limitations, such as data imbalance, adversarial example, and energy consumption. To beat these new solutions such as federated learning, explainable AI (XAI) or ensemble models, they are responded to. Recent studies have shown that ML models can be trained to have detection accuracy greater than 95% with balanced datasets, but adversarial manipulation remains a challenge. The paper also ends with a recommendation of future research directions such as privacy-preserving collaborative training, real-time lightweight ML based on endpoint protection, and blockchain integration to provide tamper-proof logging of ransomware activities.