Reducing False Negatives in Ransomware Detection: A Critical Evaluation of Machine Learning Algorithms

Robert Bold, Haider Al-Khateeb, Nikolaos Ersotelos

Research output: Contribution to journalArticlepeer-review


Technological achievement and cybercriminal methodology are two parallel growing paths; protocols such as Tor and i2p (designed to offer confidentiality and anonymity) are being utilised to run ransomware companies operating under a Ransomware as a Service (RaaS) model. RaaS enables criminals with a limited technical ability to launch ransomware attacks. Several recent high-profile cases, such as the Colonial Pipeline attack and JBS Foods, involved forcing companies to pay enormous amounts of ransom money, indicating the difficulty for organisations of recovering from these attacks using traditional means, such as restoring backup systems. Hence, this is the benefit of intelligent early ransomware detection and eradication. This study offers a critical review of the literature on how we can use state-of-the-art machine learning (ML) models to detect ransomware. However, the results uncovered a tendency of previous works to report precision while overlooking the importance of other values in the confusion matrices, such as false negatives. Therefore, we also contribute a critical evaluation of ML models using a dataset of 730 malware and 735 benign samples to evaluate their suitability to mitigate ransomware at different stages of a detection system architecture and what that means in terms of cost. For example, the results have shown that an Artificial Neural Network (ANN) model will be the most suitable as it achieves the highest precision of 98.65%, a Youden’s index of 0.94, and a net benefit of 76.27%, however, the Random Forest model (lower precision of 92.73%) offered the benefit of having the lowest false-negative rate (0.00%). The risk of a false negative in this type of system is comparable to the unpredictable but typically large cost of ransomware infection, in comparison with the more predictable cost of the resources needed to filter false positives.
Original languageEnglish
Article number12941
Number of pages22
JournalApplied Sciences
Issue number24
Early online date16 Dec 2022
Publication statusPublished - Dec 2022

Bibliographical note

© 2022 by the authors. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (


  • artificial intelligence
  • incident response
  • cyber kill chain
  • destructive malware


Dive into the research topics of 'Reducing False Negatives in Ransomware Detection: A Critical Evaluation of Machine Learning Algorithms'. Together they form a unique fingerprint.

Cite this