Ransomware Detection with ML and Deep Learning: An Evidence-Based Survey and Drift-Aware Taxonomy

Abstract

Ransomware remains a major threat that requires early and reliable detection. This paper offers an evidence-based survey and a drift-aware taxonomy that help practitioners choose between classic machine learning (ML) and deep learning (DL) across static, dynamic, and graph-based feature regimes. We outline when lightweight tree-based ML provides strong accuracy and low latency, and when sequence or graph DL adds value on long, high-quality traces despite higher compute cost. We high-light common pitfalls-especially random splits and insufficient temporal testing-that inflate performance under concept drift, and recommend time-aware evaluation with temporal splits and challenge subsets. We summarize the space into a feature-method matching table and a deployment-oriented decision flow, and we recommend hybrid pipelines where fast static or aggregated dynamic ML acts as a filter and heavier DL as a confirmer. Practical routines for continual learning and lightweight drift monitoring (e.g., feature-frequency or trace-coverage shifts) are also provided. Finally, we call for a dynamic, drift-aware benchmark analogous to EMBER2024 and emphasize minimum reporting standards: FPR@TPR at fixed operating points (0.1%, 1%), end-to-end latency (p50/p95), and clear sandbox/EDR configuration.