Ransomware Detection on Windows Using File System Activity Monitoring and a Hybrid Isolation Forest-XGBoost Model

Ransomware has become one of the most prevalent and dangerous cybersecurity threats, capable of encrypting critical files and demanding ransom payments within minutes of infection. A novel hybrid detection system is proposed that combines Isolation Forest for anomaly detection with XGBoost for classification, addressing the limitations of traditional signature-based approaches and enhancing early-stage detection capabilities. The system continuously monitors file system activities, extracting features indicative of ransomware behavior, and processes them through a machine learning pipeline designed to identify both known and novel ransomware variants in real-time. Experimental evaluation demonstrates that the system achieves high accuracy in detecting ransomware with minimal false positives and low detection latency, making it suitable for deployment in enterprise environments where rapid response is critical. The ability to handle large volumes of file system data while maintaining precision and adaptability highlights the system's scalability and robustness in combating evolving ransomware threats. This research significantly contributes to the field of cybersecurity, offering a practical and efficient approach for protecting Windows-based systems from ransomware attacks.