Ransomware remains a critical threat to cybersecurity, yet publicly available datasets for training machine learning-based ransomware detection models are scarce and often have limited sample size, diversity, and reproducibility. In this paper, we introduce MLRan, a behavioural ransomware dataset, comprising over 4,800 samples across 64 ransomware families and a balanced set of goodware samples. The samples span from 2006 to 2024 and encompass the four major types of ransomware: locker, crypto, ransomware-as-a-service, and modern variants. We also propose guidelines (GUIDE-MLRan), inspired by previous work, for constructing high-quality behavioural ransomware datasets, which informed the curation of our dataset. We evaluated the ransomware detection performance of several machine learning (ML) models using MLRan. For this purpose, we performed feature selection by conducting mutual information filtering to reduce the initial 6.4 million features to 24,162, followed by recursive feature elimination, yielding 483 highly informative features. The ML models achieved an accuracy, precision and recall of up to 98.7%, 98.9%, 98.5%, respectively. Using SHAP and LIME, we identified critical indicators of malicious behaviour, including registry tampering, strings, and API misuse. The dataset and source code for feature extraction, selection, ML training, and evaluation are available publicly to support replicability and encourage future research, which can be found at https://github.com/faithfulco/mlran.

The increasing sophistication of encryption-based ransomware has demanded innovative approaches to detection and mitigation, prompting the development of a hierarchical framework grounded in probabilistic cryptographic analysis. By focusing on the statistical characteristics of encryption patterns, the proposed methodology introduces a layered approach that combines advanced clustering algorithms with machine learning to isolate ransomware-induced anomalies. Through comprehensive testing across diverse ransomware families, the framework demonstrated exceptional accuracy, effectively distinguishing malicious encryption operations from benign activities while maintaining low false positive rates. The system's design integrates dynamic feedback mechanisms, enabling adaptability to varying cryptographic complexities and operational environments. Detailed entropy-based evaluations revealed its sensitivity to subtle deviations in encryption workflows, offering a robust alternative to traditional detection methods reliant on static signatures or heuristics. Computational benchmarks confirmed its scalability and efficiency, achieving consistent performance even under high data loads and complex cryptographic scenarios. The inclusion of real-time clustering and anomaly evaluation ensures rapid response capabilities, addressing critical latency challenges in ransomware detection. Performance comparisons with established methods highlighted its improvements in detection efficacy, particularly against advanced ransomware employing extended key lengths and unique cryptographic protocols.

Adversarial Training is a proven defense strategy against adversarial malware. However, generating adversarial malware samples for this type of training presents a challenge because the resulting adversarial malware needs to remain evasive and functional. This work proposes an attack framework, EGAN, to address this limitation. EGAN leverages an Evolution Strategy and Generative Adversarial Network to select a sequence of attack actions that can mutate a Ransomware file while preserving its original functionality. We tested this framework on popular AI-powered commercial antivirus systems listed on VirusTotal and demonstrated that our framework is capable of bypassing the majority of these systems. Moreover, we evaluated whether the EGAN attack framework can evade other commercial non-AI antivirus solutions. Our results indicate that the adversarial ransomware generated can increase the probability of evading some of them.

Cybersecurity solutions have shown promising performance when detecting ransomware samples that use fixed algorithms and encryption rates. However, due to the current explosion of Artificial Intelligence (AI), sooner than later, ransomware (and malware in general) will incorporate AI techniques to intelligently and dynamically adapt its encryption behavior to be undetected. It might result in ineffective and obsolete cybersecurity solutions, but the literature lacks AI-powered ransomware to verify it. Thus, this work proposes RansomAI, a Reinforcement Learning-based framework that can be integrated into existing ransomware samples to adapt their encryption behavior and stay stealthy while encrypting files. RansomAI presents an agent that learns the best encryption algorithm, rate, and duration that minimizes its detection (using a reward mechanism and a fingerprinting intelligent detection system) while maximizing its damage function. The proposed framework was validated in a ransomware, Ransomware-PoC, that infected a Raspberry Pi 4, acting as a crowdsensor. A pool of experiments with Deep Q-Learning and Isolation Forest (deployed on the agent and detection system, respectively) has demonstrated that RansomAI evades the detection of Ransomware-PoC affecting the Raspberry Pi 4 in a few minutes with >90% accuracy.

File-encrypting ransomware programs have become one of the biggest threats to corporate networks worldwide and are constantly evolving by adding increasingly sophisticated detection-evasion and propagation techniques. In a world where any self-respecting malware author makes sure that his creations bypass antivirus detection before releasing them, enterprise security teams are forced to focus on improving their response times to infections rather than trying to prevent them all, which is likely to be a losing game. Exabeam, a provider of user and entity behavior analytics, believes that machine-learning algorithms can significantly improve ransomware detection and reaction time, preventing such programs from spreading inside the network and affecting a larger number of systems. Because the decryption price asked by ransomware authors is calculated per system, isolating affected computers as soon as possible is critical. Only last week the University of Calgary announced that it paid 20,000 Canadian dollars (around US 15,600) to ransomware authors to get the decryption keys for multiple systems.

In a world where any self-respecting malware author makes sure that his creations bypass antivirus detection before releasing them, enterprise security teams are forced to focus on improving their response times to infections rather than trying to prevent them all, which is likely to be a losing game. Exabeam, a provider of user and entity behavior analytics, believes that machine-learning algorithms can significantly improve ransomware detection and reaction time, preventing such programs from spreading inside the network and affecting a larger number of systems. Because the decryption price asked by ransomware authors is calculated per system, isolating affected computers as soon as possible is critical. Only last week the University of Calgary announced that it paid 20,000 Canadian dollars (around US 15,600) to ransomware authors to get the decryption keys for multiple systems. Exabeam's Analytics for Ransomware, a new product that was announced today, uses the company's existing behavior analytics technology to detect ransomware infections shortly after they occur.

File-encrypting ransomware programs have become one of the biggest threats to corporate networks worldwide and are constantly evolving by adding increasingly sophisticated detection-evasion and propagation techniques. In a world where any self-respecting malware author makes sure that his creations bypass antivirus detection before releasing them, enterprise security teams are forced to focus on improving their response times to infections rather than trying to prevent them all, which is likely to be a losing game. Exabeam, a provider of user and entity behavior analytics, believes that machine-learning algorithms can significantly improve ransomware detection and reaction time, preventing such programs from spreading inside the network and affecting a larger number of systems. Because the decryption price asked by ransomware authors is calculated per system, isolating affected computers as soon as possible is critical. Only last week the University of Calgary announced that it paid 20,000 Canadian dollars (around US 15,600) to ransomware authors to get the decryption keys for multiple systems.

File-encrypting ransomware programs have become one of the biggest threats to corporate networks worldwide and are constantly evolving by adding increasingly sophisticated detection-evasion and propagation techniques. In a world where any self-respecting malware author makes sure that his creations bypass antivirus detection before releasing them, enterprise security teams are forced to focus on improving their response times to infections rather than trying to prevent them all, which is likely to be a losing game. Exabeam, a provider of user and entity behavior analytics, believes that machine-learning algorithms can significantly improve ransomware detection and reaction time, preventing such programs from spreading inside the network and affecting a larger number of systems. Because the decryption price asked by ransomware authors is calculated per system, isolating affected computers as soon as possible is critical. Only last week the University of Calgary announced that it paid 20,000 Canadian dollars (around US 15,600) to ransomware authors to get the decryption keys for multiple systems.