Ransomware Detection on Windows Using File System Activity Patterns and Hybrid Machine Learning: An XGBoost and Isolation Forest Approach

Among many different cyber threats, ransomware continues to be one of the most destructive and pervasive forms of cybercrime, causing significant financial and operational damage to both individuals and organisations. Detecting ransomware through file system activities offers a novel and effective approach, allowing for the identification of both known and zero-day ransomware variants based on patterns in file operations. A hybrid machine learning framework was developed, combining XGBoost for classification and Isolation Forest for anomaly detection, enhancing the accuracy and flexibility of ransomware detection. The system was evaluated using real-world data, demonstrating high accuracy in distinguishing ransomware from benign software, with the added ability to detect previously unseen ransomware through anomaly detection. The use of file system activities as a feature set, coupled with the hybrid model, presents a highly adaptable and scalable solution for ransomware detection, providing a significant improvement over traditional signature-based methods. The findings demonstrate the practical relevance of the proposed model for improving cybersecurity defenses in real-time environments.