Intelligent Ransomware Defense System with Digital Forensics Integration

Abstract

Ransomware has been a major concern in the domain of cyber security insofar as it has caused losses estimated in billions of dollars across the globe. The traditional means of guarding against it, that are based on signatures, tend to be less effective in cases of modern ransomware that employing polymorphism and zero-day attacks very effectively. Therefore, there has been a paradigm shift in the detection process that has achieved a high level of accuracy in behavior-based, entropy-based, and machine-learning techniques but faces a major drawback in a lack of transparency in decision-making. This paper examines the prevailing approach to the detection of ransomware, and the trade-off that needs to be made between the accuracy and explainability of the approach. To address the gap in the literature, this paper describes the development of a light-weight host-based approach to the detection of ransomware, utilizing real-time entropy-based monitoring, and Machine Learning. Additionally, this paper includes the use of Explainable AI techniques, specifically SHAP and LIME, to offer explanations for each ransomware detection event. It is hoped that the new solution developed in this paper shall guarantee high accuracy and real-time detection, while remaining transparent for forensic analysis.

Introduction

Ransomware has evolved from a minor cybercrime into a major cybersecurity threat that silently infiltrates systems, steals data, encrypts files, and demands ransom payments. The financial impact has grown significantly, with global ransomware costs reaching billions of dollars and attacks making up a large portion of cyber incidents. Beyond financial losses, organizations face downtime, reputational damage, recovery challenges, and data privacy risks.

Traditional antivirus systems rely mainly on signature-based detection, which identifies known malware patterns. However, modern ransomware uses zero-day exploits, polymorphic malware, and fileless attacks, allowing it to bypass most signature-based defenses. This limitation has led to the adoption of behavior-based detection, anomaly detection, and machine learning (ML) approaches, which analyze what a process does rather than what a file is.

Behavior-based tools monitor activities such as unusual file access, encryption patterns, entropy changes, and rapid file modifications. Although these methods improve detection, they may create false positives or detect attacks only after significant damage occurs. Machine learning models have achieved high detection accuracy (often above 95–99%), but they introduce a major challenge: the “black box” problem. These systems can identify malicious activity but often cannot explain why a decision was made, making them unreliable for forensic investigations and legal evidence.

The study highlights the importance of Explainable AI (XAI), which provides understandable explanations for ML decisions. Techniques such as SHAP and LIME help convert AI predictions into human-readable reasons, improving trust, accountability, and forensic usefulness.

The literature review shows the evolution of ransomware detection:

• Signature-based methods: Easy to explain but ineffective against new and changing malware.
• Behavior-based methods: Better against unknown threats but may have false positives.
• Entropy-based methods: Effective for detecting encryption behavior but limited alone.
• ML-based methods: Highly accurate but lack transparency.

A major research gap exists because no lightweight, real-time system fully combines accurate ransomware detection with forensic explainability. The proposed solution aims to fill this gap by creating a host-based ransomware detection framework that monitors file operations, detects abnormal encryption behavior, and provides explanations for every alert.

The proposed architecture contains four main modules:

1. File System Monitor – Tracks file write and modification activities.
2. Anomaly Detection Engine – Calculates features like file entropy changes, write speed, and process behavior, then uses ML to detect suspicious activity.
3. Causal Logger – Records detailed event information (process ID, file path, timestamps, entropy changes) for forensic investigation.
4. XAI Explainer Module – Uses methods like SHAP to explain why the ML model classified an activity as malicious.

Conclusion

The paper traces the history of ransomware detection, a costly and desperate game. We are now past the old and signature-based approaches to smarter and more correct machine learning approaches. But our research indicates that some of the consequences of the quest of accuracy is that it leads to the establishment of an accountability gap. The current state of systems is that of black boxes that are not easily trusted to do forensic analysis, their behavior is opaque, and this is the biggest issue in legal and critical circumstances. We demonstrate by multi-table analysis (Tables 01-05) that the community is split between simple and understandable yet not accurate enough models and accurate yet complicated to understand models. This issue is known as the Forensic V-Shape and it is the greatest issue in the present condition of the cybersecurity world. This issue can be resolved by the proposed system. We suggest a system that is accurate and accountable with the assistance of numerous studies about the detection engine that is lightweight and real-time entropy-based and multiple existing explainable AI tools like SHAP and LIME. It does not only raise an alarm but also justifies the security operators and one they can rely on and even prove in the court. Malware detection and description of the malware are part of a vital shift between the process of detecting the malware and providing security intelligence which is credible, actionable, and defensible.

References

[1] A. Al-rimy, B. A. S., et al., “Advanced Machine Learning for Ransomware Detection,” 2024. [2] BleepingComputer, “BPO giant Conduent confirms data breach impacts 10.5 million people,” 2025. [3] CrowdStrike, “AI Decision-Making with SHAP: A Game-Theoretic Approach to Explainable AI in Cybersecurity,” 2024. [4] CrowdStrike, “Benefits of Machine Learning in Cybersecurity,” 2024. [5] Continella, A., et al., “ShieldFS: A self-healing, ransomware-aware filesystem,” in Proc. ACSAC, 2016. [6] Continella, A., “ShieldFS: The Last Word in Ransomware-Resilient Filesystems,” Black Hat USA, 2017. [7] Fortinet, “Ransomware Statistics: What to Know in 2024,” 2024. [8] GCA, “How Ransomware Can Evade Antivirus Software,” 2023. [9] Huang, C., et al., “Explainable Machine Learning for Cyber Threats: A Survey,” arXiv preprint arXiv:2208.14937, 2022. [10] IBM X-Force, 2025 Threat Intelligence Index, IBM Corporation, 2025. [11] Infosecurity Magazine, “Conduent Data Breach Impacts Over 10 Million Individuals,” 2025. [12] Kharraz, A., Arshad, S., Mulliner, C., Robertson, W., and Kirda, E., “UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware,” in Proc. USENIX Security, 2016. [13] Kharraz, A., “Overview of the design of the I/O access monitor in UNVEIL,” 2016. [14] Kirda, E., “UNVEIL: A large-scale, automated approach to detecting ransomware (keynote),” 2016. [15] Lundberg, S. M., and Lee, S. I., “A Unified Approach to Interpreting Model Predictions,” in Advances in Neural Information Processing Systems (NeurIPS), 2017. [16] Medium, “Explainable AI in Cybersecurity: Ensuring Transparency,” 2024. [17] MDPI, “A Comparative Analysis of SHAP and LIME for Forensic Cybersecurity,” 2024. [18] Palo Alto Networks, “Advanced Endpoint Security vs Antivirus,” 2024. [19] Palo Alto Networks, “Explainable AI (XAI) in Cybersecurity,” 2024. [20] Park, J., and Kim, J., “Rcryptect: Real-Time Detection of Cryptographic Function in the User-Space Filesystem,” ETRI Journal, 2019. [21] Ribeiro, M. T., Singh, S., and Guestrin, C., “Why Should I Trust You?: Explaining the Predictions of Any Classifier,” in Proc. ACM SIGKDD, 2016. [22] Sangfor Technologies, “Machine Learning in Cybersecurity: Benefits and Challenges,” 2024. [23] Scaife, N., Carter, H., Traynor, P., and Butler, K. R. B., “CryptoDrop: An Early-Warning Detection System for Ransomware,” in Proc. IEEE ICDCS, 2016. [24] SentinelOne, “Signature-Based vs. Behavioural AI Detection,” 2024. [25] Sentinel-Overwatch, “What Are the Limitations of Signature-Based Intrusion Detection?” 2024. [26] SETS India, “A Review on Explainable AI for Cybersecurity,” 2024. [27] Sharma, A., and Gupta, S., “The Role of Explainable AI (XAI) in Forensic Investigations: Enhancing Trust and Transparency,” Journal of Forensic Sciences and Digital Investigation, 2025. [28] Sophos, The State of Ransomware 2025, Sophos Ltd., 2025. [29] Spin.ai, “Ransomware Detection Using Machine Learning,” 2024. [30] The Data Scientist, “Explainable AI: Making Cybersecurity Clear and Trustworthy,” 2024. [31] Zhang, X., et al., “Ransomware Detection Using Machine Learning,” 2023. [32] Zhang, Y., et al., “Real-Time Ransomware Detection Using Entropy Analysis,” IEEE Trans. Inf. Forensics Security, 2019. [33] Zhang, Y., “Accuracy and performance of randomness tests in distinguishing encrypted from non-encrypted files,” 2019.

Copyright

Copyright © 2026 Sohel Shaikh, Shubham Kokane , Vikas Khandekar, Yugandhar Dorugade , Dr. Vina Lomte. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.