Tritilanunt S.Mahidol University2026-06-082026-06-082026-01-012026 International Conference on Advances in Artificial Intelligence and Machine Learning Aaiml 2026 (2026) , 181-186https://repository.li.mahidol.ac.th/handle/123456789/117134Ransomware remains a major threat that requires early and reliable detection. This paper offers an evidence-based survey and a drift-aware taxonomy that help practitioners choose between classic machine learning (ML) and deep learning (DL) across static, dynamic, and graph-based feature regimes. We outline when lightweight tree-based ML provides strong accuracy and low latency, and when sequence or graph DL adds value on long, high-quality traces despite higher compute cost. We high-light common pitfalls-especially random splits and insufficient temporal testing-that inflate performance under concept drift, and recommend time-aware evaluation with temporal splits and challenge subsets. We summarize the space into a feature-method matching table and a deployment-oriented decision flow, and we recommend hybrid pipelines where fast static or aggregated dynamic ML acts as a filter and heavier DL as a confirmer. Practical routines for continual learning and lightweight drift monitoring (e.g., feature-frequency or trace-coverage shifts) are also provided. Finally, we call for a dynamic, drift-aware benchmark analogous to EMBER2024 and emphasize minimum reporting standards: FPR@TPR at fixed operating points (0.1%, 1%), end-to-end latency (p50/p95), and clear sandbox/EDR configuration.Computer ScienceConference PaperSCOPUS10.1109/AAIML67890.2026.114981522-s2.0-105040590243