Evaluating the Efficacy of Machine Learning Techniques in Ransomware Detection

Abstract

Ransomware continues to pose a critical threat to computer systems worldwide, requiring effective detection strategies that can generalize across evolving variants. This paper presents a comparative evaluation of multiple machine learning algorithms for ransomware detection using dynamic analysis. Behavioral features were extracted from ransomware samples via Cuckoo Sandbox, and standard classifiers including Decision Tree, Random Forest, Gradient Boosting, and XGBoost were evaluated with appropriate train-test splits and feature selection. Results show that Random Forest consistently achieves superior performance on unseen ransomware families, highlighting its robustness and practical applicability.Beyond accuracy, this study examines computational considerations, revealing that tree-based models offer favorable tradeoffs between detection efficacy and inference latency, making them suitable for near real-time deployment. Feature importance analysis further indicates that registry modifications, file operations, and cryptographic API calls are key behavioral traits distinguishing ransomware activity.Nevertheless, the study faces limitations, including a relatively small dataset (582 ransomware samples), basic class imbalance handling, and the absence of deep learning baselines. To address these gaps, future work will explore dataset expansion, advanced imbalance handling techniques, neural architectures, and large-scale deployment evaluation. By emphasizing both detection accuracy and forensic interpretability, this work contributes practical insights for improving ransomware defense in real-world environments.