Problem statement

Ransomware is an increasingly sophisticated malware that encrypts files with a monetary ransom for access restoration. The first appearance of ransomware was in 1989 with the release of the “AIDS Trojan.” However, its danger has increased significantly in recent times due to the emergence of a growing number of variants and a corresponding rise in potential targets. Additionally, the introduction of anonymous online payment systems has made it easier for perpetrators to profit from their criminal activities, thus making ransomware a very lucrative type of cybercrime. Traditional antivirus tools, which rely on signature-based detection techniques, are becoming less effective as attackers employ advanced packing and obfuscation methods to evade detection. In addition, ransomware-as-a-service (RaaS) platforms have dramatically lowered the barriers to entry, making it possible for even those without skills to launch attacks. According to Coveware, the average ransom payment increased by 33% from Q4 2019 to Q1 2020, reaching approximately USD 111,605 per incident. Modern ransomware also exploits multi-core Central Processing Unit (CPU) technologies and parallel computing to accelerate encryption processes, making attacks more efficient and damaging. Given that outdated detection methods are no longer sufficient, there is an urgent need to enhance or develop new approaches focused on identifying the most critical features that contribute to timely and accurate ransomware detection [1].

Ransomware attacks surged significantly during the COVID-19 pandemic due to the rise of work-from-home (WFH) arrangements and the increasing reliance on digital infrastructure. High-profile incidents like the Colonial Pipeline and JBS meat processor attacks broadened the threat landscape and elevated ransomware to a national security issue. Ransomware, initially predicted in the 1990s, has evolved into two major types: crypto-ransomware, which encrypts files, and locker-ransomware, which disables system access. As attackers develop more sophisticated and evasive tactics, defenders are challenged to keep pace [2].

A recent study of senior executives found that 46% of small firms have experienced ransomware attacks [3]. Additionally, nearly three-quarters (73%) of the businesses that were attacked by ransomware have paid a ransom. 13% of small firms paid ransomware attackers more than $100,000, while 43% paid between $10,000 and $50,000. However, just a portion of the company’s data was retrieved by 17% of those who paid. On the other hand, companies are increasingly utilizing cloud computing to streamline various business processes. According to industry studies, approximately 68% of firms currently utilize cloud computing, and 19% plan to do so in the future [4]. According to the 2020 Trustwave Global Security Report [5], the number of attacks against cloud services more than quadrupled in 2019, in tandem with the trend of businesses shifting more of their activities to the cloud. Ransomware protection in cloud and virtualized systems is therefore crucial, as cloud computing becomes increasingly common in businesses [6].

Rule-based systems and signature-based methods are insufficient for detecting ransomware due to its constantly evolving nature. The requirement for frequent signature and policy updates to keep pace with new versions can delay response, thus exposing systems to new threats. Traditional methods for the detection of ransomware attacks [7] are lacking, primarily due to the encrypted nature of cloud data, which makes it difficult to access and analyze. The growing number and severity of ransomware attacks in cloud environments were the main drivers of this research. Since traditional detection methods are identified as ineffective [8, 9] with the ongoing development of ransomware variants, it is crucial to investigate new methods for detecting ransomware attacks within this encrypted environment, as the encryption of cloud data further complicates detection [10].

A significant and groundbreaking contribution has been made through the utilization of transfer learning in the field of ransomware detection. The use of transfer learning helps to maximize the accuracy of ransomware detection, especially in situations where there is limited labeled data [11, 12]. In addition, a great advancement has been made through the establishment of a deep learning (DL) ensemble framework focused on the detection of ransomware [13, 14]. The ensemble setup enhances detection robustness and performance by combining different features from different deep learning models. This new strategy has potential for supporting the construction of more effective real-time systems for ransomware detection [15]. Additionally, the use of Machine Learning (ML) techniques, specifically classification methods, can enhance security by enabling the automatic detection of malware, such as ransomware, through its dynamic behavioral patterns [16, 17]. To assist in the classification and detection of ransomware, Decision Tree (DT), Random Forest (RF), Naive Bayes (NB), and Logistic Regression (LR) algorithms have been found effective [18].

Related works

Researchers provided groundbreaking insights into the status of ransomware threats and organizational responses, based on traditional survey and analysis methodologies. Malik et al. [19] provided a general review of evolving techniques and procedures (TTPs) employed in the ransomware arena, pointing out trends like Ransomware-as-a-Service (RaaS) and double extortion, and emphasized the need for real-time cybersecurity and international collaboration. Warkentin et al. [20] in surveying Canadian businesses, highlighted the real experience of the victims of ransomware, in this case small businesses, and showed that nearly one-third had been victimized, with little difference reported in insurance, reporting, and police response across firm sizes, and indicating the prevalence of the ransomware threat.

Current studies illustrate the increasing application of metaheuristic and nature-inspired hybrid algorithms for solving complexity in real-world prediction and classification issues across different disciplines. El-Sayed M. El-kenawy et al. [21], for instance, demonstrated how a modified grey wolf optimizer could enhance ensemble learning to forecast reference evapotranspiration daily with high accuracy in semi-arid conditions. Mizdrakovic et al. [22] combined variational mode decomposition and improved LSTM models, further described with Shapley values, to accurately forecast Bitcoin prices while illustrating how metaheuristic optimization enhances financial time series modeling.

Air quality prediction in urban zones now increasingly relies on advanced machine learning techniques that give sound, evidence-based advice to inform environmental and public health policy. Zaki and Mahmood [23] demonstrated the performance of the K-Nearest Neighbors (KNN) model in analyzing and forecasting air quality in Delhi, India, from a huge dataset spanning over two years. Their results showed that the KNN algorithm had remarkably low predictive errors with an MSE of just 0.0002, since it was a testament to its capability to sense local trends in air pollutants such as PM2.5, PM10, NO₂, SO₂, CO₂, and O₃. This application-based study was confirmed by El-kenawy [24] in his review of the machine learning, deep learning, and IoT-based frameworks for the urban air quality prediction frontier. The review points to the manner in which combining heterogeneous data sources—meteorological, pollutant concentration, and satellite imagery—with advanced neural architectures and IoT-facilitated sensors is transforming real-time monitoring and forecasting. Together, these push the enormous potential of machine learning methods such as KNN and hybrid AI platforms to support smart city initiatives and enable sustainable urban air quality management in the wake of ongoing challenges stemming from data sparsity and computational scalability.

New developments in medical diagnosis employed metaheuristic optimization algorithms together with machine learning models to maximize the accuracy of disease classification across various disciplines [25, 26]. For instance, Bacanin et al. [27] applied an enhanced metaheuristic optimized deep Long Short-Term Memory network for Parkinson’s disease diagnosis, showing the benefits of certain metaheuristics for neurodegenerative disease diagnosis. Elshewey et al. [28] proposed a hybrid model where the Greylag Goose Optimization (GGO) algorithm is combined with Long Short-Term Memory (LSTM) networks for heart disease classification with 99.58% accuracy in optimizing feature extraction and hyperparameters. Similarly, Tarek et al. [29] advanced a novel cardiovascular disease diagnosis model using Snake Optimization (SO) blended with five machine learning algorithms with a resultant accuracy of 99.9%. In EEG signal classification, Elshewey et al. [30] advanced a Modified Al-Biruni Earth Radius (MBER) algorithm to enhance eye state classification accuracy to 96.12% using K-Nearest Neighbors (KNN) as a fitness function. Furthermore, Elshewey and Osman [31] applied binary breadth-first search (BBFS) feature selection in orthopedic disease classification, combined with Random Forest (RF), and attained a 99.41% accuracy rate. Another critical healthcare application was demonstrated by El-Rashidy et al. [32], who employed a PSO-optimized multitask multilayer LSTM network to predict mechanical ventilation and mortality in ICU patients with high precision and recall. These studies demonstrate the significant role played by combining nature-inspired optimization methods with deep learning and machine learning classifiers for improved diagnostic performance and making robust platforms for early disease detection and prediction.

With a specific focus on ransomware detection, several studies have leveraged ML and hybrid AI techniques for improved detection, classification, and ransomware threat prevention. For instance, Wa Nkongolo [33] introduced a novel approach for detecting and analyzing ransomware within the cryptocurrency ecosystem by developing unique features that capture transaction behavior, ransom characteristics, and financial impacts. Using the UGRansome dataset, the study proposed the Ransomware Feature Selection Algorithm (RFSA), which leverages Gini Impurity and Mutual Information to identify key features distinguishing ransomware transactions in Bitcoin (BTC) and USD. Results showed that longer attack durations correlated with greater financial gains. The RFSA achieved strong performance metrics: 95% MI score, 93% accuracy, 92% recall, and 89% precision, outperforming existing methods and emphasizing the need for adaptive strategies in response to the evolving ransomware threat landscape. Davies et al. [34] proposed a new method for ransomware detection, which proved effective in identifying encrypted files regardless of the ransomware family being used. The method was created using a large dataset of more than 130,000 files that included modern Microsoft file types as well as samples of real ransomware attacks, including WannaCry, Ryuk, and Phobos. The main challenge for them was to differentiate between compressed and encrypted files since both of them have high Shannon entropy values. The approach they devised takes advantage of a unique property of entropy present in the header parts of the encrypted files and makes a comparison possible with profiles created randomly. The classifier had a remarkable accuracy rate of 99.96% in classifying files as either encrypted or not, using only the first 192 bytes, successfully distinguishing ransomware-encrypted files from other types of files with high entropy.

Gurukala and Verma [35] proposed a ransomware detection framework based on machine learning to overcome the limitations of traditional detection techniques in dealing with the evolution of ransomware variants. The authors’ approach uses ensemble classifiers in conjunction with Particle Swarm Optimization (PSO) as a feature selection technique to increase accuracy while reducing false positives and false negatives. Two ensemble models were developed: a combined Random Forest (RF) and Support Vector Machine (SVM), and a combined Decision Tree (DT) and K-Nearest Neighbors (KNN). PSO was applied to select and rank the most relevant features for the two ensemble models. The results from the experiments were that the application of Particle Swarm Optimization (PSO) in feature selection significantly improved detection abilities. Specifically, the DT-KNN ensemble had an accuracy rate of 98.38% when using PSO, better than the performance of individual classifiers and setups without feature selection, thus highlighting the effectiveness of the proposed approach in improving ransomware classification. Mowri et al. [36] studied the effect of feature selection in the improvement of ransomware classification through the study of API calls and network-related features. Although previous studies had shown positive results without the addition of feature selection, this study focused on the benefits of using Recursive Feature Elimination with Cross-Validation (RFECV). Through the evaluation of the performance of different supervised machine learning algorithms with and without RFECV, the authors confirmed that feature selection helps avoid overfitting, enhances the accuracy of models, and reduces training time. The findings provide important information on the effectiveness of RFECV in optimizing ransomware classification models and guiding further research in the field.

Fernando and Komninos [37] presented a feature selection model called FeSA to improve the trustworthiness of machine learning classifiers in environments suffering from concept drift, which refers to unexpected changes in the underlying predictive model with time. Contrary to standard practice, FeSA is not dependent on the chosen classification model and aims at discovering subsets of features that lead to high detection rates, specifically in the case of ransomware malware. The study involved comparative studies of FeSA with other nature-inspired algorithms such as genetic search, evolutionary search, harmony search, best-first search, and greedy stepwise selection. The results reflected that FeSA suffered the smallest reduction in performance amid concept drift and always reported the highest ransomware detection rates. Additionally, it yielded competitive results in terms of recall, precision, and false positive rates, thus marking FeSA as an effective and strong feature selection technique in dynamically changing cybersecurity domains. Li et al. [38] conducted a comprehensive comparison of feature selection and feature extraction techniques for IoT network intrusion detection using machine learning models. Using the heterogeneous TON-IoT dataset, the study evaluated both binary and multiclass classification tasks, analyzing performance metrics such as accuracy, F1-score, and runtime. Results showed that feature extraction offered better detection performance and robustness to changes in feature number, while feature selection reduced model training and inference time. Feature selection also presented more potential for accuracy improvement when varying the number of features. The study offers actionable insights into the choice of suitable feature reduction methods specific to different scenarios about Internet of Things (IoT) intrusion detection, thus filling a lacuna in earlier evaluations based on the TON-IoT dataset. Salem et al. [39] performed an extensive review of more than sixty recent studies designed to evaluate the effectiveness of artificial intelligence (AI), particularly machine learning (ML), deep learning (DL), and metaheuristic algorithms, in identifying and preventing different types of cyberattacks, i.e., malware, network intrusions, and spam. The findings of the study reveal that the combination of machine learning and deep learning with metaheuristic approaches significantly enhances detection precision and responsiveness. By comparative study, the research established the pros and cons of current models and highlighted the requirement for smart and adaptive systems that could evolve according to emerging threats. In addition, the article proposes a systematic approach to evaluating AI-based systems for detecting cyber threats and emphasizes regular updates to meet the changing nature of cyber threats.

Nkongolo and Tokmak [40] presented a sophisticated framework developed for ransomware identification and classification, using a Stacked Autoencoder (SAE) to enable effective feature selection, in addition to a Long Short-Term Memory (LSTM) network to classify. Based on the UGRansome dataset, the study involved extensive preprocessing and applied the SAE in both unsupervised and supervised learning to improve feature extraction. The fine-tuning of features greatly enhanced the ability of the LSTM to distinguish between different ransomware families and other types of malware. A series of thorough experiments, including learning rate optimization and training of more than 400 epochs, resulted in a model with high efficiency. The SAE-LSTM model had outstanding performance, with a classification accuracy of 99%, thus outperforming the XGBoost algorithm. The model also attained an accuracy of 98% in signature-based attack detection, highlighting its efficacy and generalization capabilities across malware categories. Li et al. [41] presented a hybrid model for ransomware detection, which combines deep learning methods with Monte Carlo Tree Search (MCTS) to meet the increasing complexities involved with ransomware attacks. The use of MCTS enabled dynamic decision-making mechanisms by considering different detection strategies, thereby enabling the system to learn and respond to emerging threats in real time. Compared to traditional machine learning methods, this model significantly enhanced detection accuracy and reduced false positives, all while maintaining computational efficiency suitable for real-time commercial applications. The introduced framework showed great potential as an effective and scalable solution for addressing the complexities introduced by the evolution of ransomware threats.

Alohali et al. [42] proposed the Sine Cosine Algorithm with a deep learning framework tailored to the identification and classification of ransomware, known as SCADL-RWDC, to detect and classify ransomware in Internet of Things (IoT) environments. The framework effectively dealt with the rising difficulties presented by botnet-based malware with its variants Bashlite, Mirai, and Persirai. The SCADL-RWDC framework applies the Sine Cosine Algorithm (SCA) for selecting features to upgrade detection, supplemented by a hybrid Grey Wolf Optimizer (HGWO) paired with a Gated Recurrent Unit (GRU) model for classification activities. Designed for the adaptive and dynamic nature of IoT ransomware, the SCADL-RWDC underwent extensive testing and proved superior compared to modern models, as represented by its ability to perform the detection and classification tasks. Alzakari et al. [34] presented the MHARNN-EGTOCRD method intended for the detection and classification of ransomware attacks in Internet of Things (IoT) networks. This method involves the incorporation of multiple advanced methods in a unified framework, including min-max normalization for data preprocessing, dung beetle optimization (DBO) for the selection of relevant features, and a Multi-Head Attention-based Long Short-Term Memory (MHA-LSTM) network for the facilitation of detection. The Enhanced Gorilla Troops Optimization (EGTO) algorithm is utilized for the optimization of the hyperparameters of the MHA-LSTM. Empirical assessment of the method using a specific dataset for ransomware detection indicated the superior performance of the concerned model, having an accuracy rate of 98.53%, thus verifying its superiority over the current detection methods.

Research gaps

Research related to ransomware identification and mitigation has progressed significantly; however, there are many gaps that can be considered for future research.

A key shortcoming is a lack of generalizability across several categories of cyber attacks. Many of the current methods primarily focus on detecting specific versions of ransomware or rely on known characteristics, thus limiting their effectiveness at detecting new or mutating versions of ransomware. The development of models that can generalize over a broad range of ransomware types, both emerging and previously unknown ones, is of utmost significance. Such an improvement would be a huge leap forward in the development of detection systems that can remain effective with the constant evolution of attack techniques.

Another major shortcoming lies in the adaptability capacity in the face of evolving ransomware techniques. Ransomware techniques continuously evolve, and many current detection methods rely on static models and pre-determined sets of features. With evolving ransomware, detection models may see reduced effectiveness if they cannot adapt accordingly. Future research should focus on developing frameworks with the ability to learn continuously from newly developing attack techniques, hence the ability to mitigate risks from concept drift and enabling responses to new threats as they arise.

The combination of multiple data sources is an area that requires further research. Previous research has mainly focused on individual data sources, which include, but are not limited to, network activity, file system actions, and financial transaction patterns. However, there is a critical need for an end-to-end framework that combines heterogeneous data sources, such as network activity, file metadata, cryptocurrency transactions, and external threat feeds. Such integration has the potential to provide a more complete picture of ransomware activities while, at the same time, enhancing detection accuracy.

The issues related to scalability and real-time detection capability are significant. While many detection approaches can attain high accuracy levels, they often have high computational costs, which degrade their scalability and effectiveness in real-time use, particularly in large or very complex environments. Therefore, there is a need for detection methods that exhibit high efficiency, which can balance performance and resource consumption, thus allowing for seamless operation in large-scale systems while meeting the demands of real-time detection.

Handling imbalanced datasets remains a key challenge in the field. Datasets used for ransomware detection often have a high level of imbalance, where there is a much higher number of benign files compared to ransomware samples, which in turn leads to the creation of biased models. This kind of imbalance can adversely affect the overall effectiveness of detection systems. Future research efforts should be focused on the investigation of methods to alleviate class imbalance, such as synthetic data generation, advanced class balancing techniques, or methods that can neutralize the imbalance without sacrificing detection accuracy.

Finally, the evaluation of IoT and critical infrastructure environments is a comparatively overlooked field. While many studies focus on smaller-scale environments, research focusing on detecting ransomware in critical infrastructure environments in which the consequences are much more severe is necessary. It is important to come up with tailored detection methods for these environments, which face different challenges and security requirements, to strengthen resilience in high-risk sectors. More in-depth, context-specific approaches are urgently needed to ensure effective ransomware prevention in these environments.

Objectives and novelties

The main objective of this work is to design an accurate and interpretable machine learning system for ransomware detection, combining state-of-the-art feature selection, interpretability, and metaheuristic optimization. The novelties and contributions of the present study are emphasized below:

• Integrated Feature Selection and Ranking: This paper employs the F-measure method for feature selection (reducing computational complexity to reach generalizable and straightforward prediction models) and Recursive Feature Elimination (RFE) to rank the most significant features.

• Interpretable Sensitivity Analysis with SHAP: For preserving transparency and interpretability, in this research, a robust sensitivity analysis of the ranked features is performed by SHapley Additive exPlanations (SHAP) values. This ensures the identification of how an individual feature impacts the model predictions independently, solving the critical requirement of explainable AI in cybersecurity.

• Construction of Hybrid Optimized HGBC Models: In this work, three new hybrid models are presented by combining the Histogram Gradient Boosting Classifier (HGBC) with three effective metaheuristic optimizers. These optimizers are used to optimize the parameters of the HGBC in order to improve accuracy and convergence.

Dataset source and description

The dataset compiled for this study is the UGRansome dataset, an open-access dataset from Kaggle [43], a specialized cybersecurity benchmark specifically designed for detecting and analyzing ransomware incidents and zero-day cyberattacks. This dataset has been widely adopted in academic and industry research for tasks such as anomaly detection, ransomware family classification, and the identification of previously unseen (zero-day) threats [44, 45, 46, 47–48]. Before use in this study, the raw UGRansome data were deduplicated to remove redundant events and transformed to ensure consistency between feature formats, and the final sample size of the utilized dataset was 149,043.

Key features and correlation

The UG Ransom dataset used in this study includes various features that define the network, transactional, and behavioral aspects relevant to ransomware attacks. The features outlined serve as input variables for predictive modeling and are important in understanding attack patterns as well as improving classification effectiveness. The following is an in-depth description of each feature, as shown in Fig. 1:

• Protocol: Specifies the specific type of communication protocol, for example, TCP or UDP, utilized within the network flow. Some protocols can have an increased vulnerability to exploitation or can be associated with specific types of ransomware activity. This property makes it easier to analyze attack vectors.

• Flag: Refers to control signals used in packet transmission, which indicate the status or purpose of network communications. These metrics can also point out unusual behavior, such as SYN floods or unauthorized resets.

• Clusters: Uses clustering algorithms to represent pre-defined sets of data points. Clusters help in grouping similar types of ransomware attacks, thus improving the effectiveness of models intended for class-specific predictions.

• Seed Address: Denotes the cryptographic seed used to generate cryptocurrency wallets for ransom payments. Repeated or linked seed addresses can reveal organized or recurring attack campaigns.

• Exploited Address (Exp Address): Refers to the specific place or terminus of the system that was compromised during the occurrence. This helps identify systems or users that are targeted repeatedly.

• Bitcoin (BTC): Refers to the total ransom asked in Bitcoin. This feature is critical to determine financial risk and is closely associated with the anonymity techniques used by the perpetrator.

• USD: Specifies the ransom amount in United States dollars. It provides a logical economic justification for the attendant risk and has proven effective as a strong predictive variable in the context of the model.

• IP Address: Records the source or destination IP address related to the ransomware attack. Geographic and ISP analysis of IPs can help trace the source of attacks or detect proxy usage.

• Threats: Classifies the level or type of threat embodied by the ransomware sample. This may be based on severity, behavior, or associated malware family, and is vital for prioritizing incidents.

• Port: Specifies the network port used for communication. Specific ports, like 445 used for SMB, are often associated with known vulnerabilities and the lateral spread that comes with ransomware attacks.

• Netflow_bytes: Refers to the total number of bytes passed through over the network stream during the event. Anomalously high or low values can signal malicious data exfiltration or command-and-control activity.

• Time: Tracks the length or severity of the attack event. Temporal patterns can support time-series analysis and help detect coordinated campaigns or zero-day threats.

• Classification Target: The predicted variable is the label for classification of every network flow or event in the UGRansome dataset. It is the output of an anomaly detection of zero-day attacks and ransomware events. The variable has three categorical classes:

• • S (Safe): Normal or benign network activity (66,380 instances).

  • SS (Suspicious): Potentially anomalous or suspicious activity, not confirmed to be an attack (40,102 instances).

  • A (Attack): Confirmed ransomware or zero-day attack activity (42,561 incidents).

Figure 1 illustrates the correlation matrix showing the strength and direction of relationships between the input features and the output variable in the UG Ransom dataset. A higher correlation coefficient indicates a stronger relationship between a given feature and the ransomware classification label. Notably, financial indicators such as “USD” and structural features like “Port” and “Threats” demonstrate stronger correlations, suggesting their potential as high-impact predictors. This matrix was used to inform the feature selection process, guiding the application of the F-statistic and Recursive Feature Elimination (RFE) in the subsequent analysis.

[See PDF for image]

Fig. 1

The correlation matrix between input and output variables

The role of clustering in enhancing predictions of ransom attacks

Clustering algorithms have played a crucial role in revealing hidden patterns and clustering data into meaningful subcategories, and hence significantly enhanced the predictive ability in terms of ransomware attacks. By dividing similar observations based on common properties, clustering allowed the identification of high-risk as well as low-risk behavioral patterns within the complex dataset.

Different clustering methods were used to enable this analysis. K-means clustering divided the dataset into separate clusters by reducing intra-cluster variance, thus proving effective in identifying distinct attack pattern clusters. Hierarchical clustering produced a dendrogram of hierarchical clusters by repeatedly merging or splitting clusters, allowing for a multi-faceted analysis of ransomware behavior. In addition, Density-Based Spatial Clustering of Applications with Noise (DBSCAN) was used to identify clusters with non-linear arrangements and to find outliers, which often indicated the occurrence of new ransomware tactics.

Clustering has become a critical building block in the detection of abnormal behavior, with outlier detection being a core aspect of adaptive modeling. Anomaly detection often leads to the updating of predictive models or the triggering of alerts for new and previously unseen attack patterns or newly emerging vulnerabilities. Apart from its application in anomaly detection, clustering has been used to classify ransomware attacks according to key features like the ransom value demanded, attack duration, and type of threat. This classification enabled priority-based modeling through the grouping of high-severity attacks into separate sub-models, enhancing the accuracy of risk assessments.

In addition, the application of clustering greatly enhanced the process of anomaly detection by allowing comparisons between newly created data points and the predefined behavioral norms typical of well-defined clusters. The effectiveness of clustering depended on its combination with relevant feature selection methods and careful parameter tuning. The application of features selected through Recursive Feature Elimination (RFE) greatly improved the performance of clustering algorithms by reducing levels of noise and enhancing intra-cluster consistency. Overall, clustering was a core component in both the initial and subsequent analytical stages of the ransomware prediction model, thus allowing for the creation of more advanced, interpretable, and informative results that support cybersecurity efforts.

Feature selection

To enhance the effectiveness of the model and forecasting, the feature importance was determined using the F-statistic method, which ranks features according to their contribution to the performance of the model. This process allows for the detection of important variables with reduced occurrence of irrelevant or redundant information. Figure 2 shows the results of the F-statistic test performed on each feature in the dataset.

The feature “Port” showed the highest variability, as attested by an F-statistic of over 15,000, signifying a strong correlation with the dependent variable. On the other hand, the attribute labeled as “USD” had a maximum overall F-statistic value of around 19,254, thus highlighting its strong influence on predicting financial trends related to ransomware. Additionally, the feature labeled “Threats” revealed a strong influence, having an F-statistic value of close to 4,303, thus emerging as one of the key predictors of the accuracy of the model. On the other hand, the features “Flag” and “Clusters” reflected a moderate influence, suggesting their contribution towards improved predictive strength, though not to the extent of the network-level and financial features. The features “Protocol” and “BTC” achieved the lowest values, reflecting significantly poor F-statistics and thus indicating their limited predictive strength. The analysis showed that many features considerably increased the model’s overall predictive ability.“Clusters”, “SeddAddress”, “ExpAddress”, “USD”, and “Port” variables were finally utilized as predictors in this study.

[See PDF for image]

Fig. 2

Feature selection ranking based on F-statistic method

Histogram gradient boosting classification (HGBC)

The HGB method uses the well-known gradient boosting (GB) [49] methodology, which is widely applied to various machine-learning issues, such as regression and classification. AdaBoost is one of several techniques that belong to a family of models called boosting algorithms, which are mostly focused on turning weak learners into strong ones. The foundation of boosting techniques is the progressive introduction and training of new weak learners to make up for the shortcomings of the previous poor learners. Every weak learner after them is told to steer clear of the errors committed by the learner before them. Decision trees are the poor learners that occur most frequently. The GB algorithm’s primary flaw, its protracted training period on big datasets was addressed by the HGB approach, a boosting strategy. The continuous input parameters are divided or binned into a few hundred different values to overcome this difficulty. In this case, the learning rate of the algorithm is the most important hyperparameter. Numerous repetitions of adjusting hyper-parameters allowed for considerable optimization of the approach.

Optimization algorithms

While optimization and modeling target various aspects, both are typically required in order to tackle real-world problems. Modeling is required to ensure that objective functions are evaluated by a correct mathematical or numerical model of the system under study, while optimization defines the optimum set of design parameters. Herein lies the choice of effective optimization algorithms at the core of the success of the optimization exercise [50, 51]. Three nature-based metaheuristic algorithms, the Bonobo Optimization Algorithm (BOA) [52], the Tunicate Swarm Algorithm (TSA) [53], and the Gorilla Troops Optimizer (GTO) [54], are used in this study to tune the hyperparameters of the Histogram Gradient Boosting Classifier (HGBC) as they demonstrated successful applications earlier but their performance did not compared [55, 56–57]. The BOA is inspired by the cooperative and adaptive social behavior of bonobos to enable effective balancing of global exploration versus local exploitation. Similarly, the TSA mimics the swarming and propulsive behavior of tunicates to enhance convergence rate and solution quality in a high-dimensional search space. The GTO is inspired by the hierarchical leadership and collaborative foraging nature of gorilla troops, ensuring population diversity and robustness of search capability. Their application significantly improves the overall generalization ability and prediction accuracy of the classifier, which is crucial for overcoming the non-linearity and high dimensionality of the data. To understand explicit mathematical derivation steps for these algorithms, refer to Appendix II.

Performance evaluation metrics

To evaluate the performance of the classification models, a set of standard evaluation metrics was employed that consisted of accuracy, precision, recall, and F1-score.

They provide a comprehensive overview of the performance of a model, particularly for imbalanced or critical classification tasks such as ransomware detection. The definitions of these metrics are as follows:

• Accuracy: Measures the proportion of correctly classified instances (both positive and negative) out of the total number of cases.

• Precision: Indicates the proportion of true positive predictions among all positive predictions made by the model. High precision reflects a low false-positive rate.

• Recall (Sensitivity): This measure determines the proportion of true positives that the model correctly identifies. In the case of cybersecurity, failure to identify an attack (a false negative) could lead to serious financial consequences, making this measure critical.

• F1-Score: This is the harmonic mean of precision and recall that gives a balanced measure that includes both false negatives and false positives. Its importance is especially evident in datasets that have imbalanced class distributions.

1

2

3

4

In these equations:

• TP (True Positive): Correctly predicted ransomware incidents.

• FP (False Positive): Benign cases wrongly flagged as ransomware.

• TN (True Negative): Correctly identified non-ransomware cases.

• FN (False Negative): Missed ransomware predictions.

Convergence behavior and hyperparameter tuning

Figures 3 and 4 show the convergence behaviors and hyperparameter configuration exhibited by the HGBO, HGTS, and HGGT methods during the execution of training iterations. The horizontal axis in the convergence plot indicates the iteration numbers, and the vertical axis indicates the corresponding accuracy achieved. Also, in box plots range of hyperparameter values and the optimal value reached in iterations are determined:

• HGBO reached the highest terminal accuracy of 0.975 and had good convergence, indicative of its efficacy and stability.

• HGTS had a marginally lower final accuracy value of 0.959, reflecting a steady and uniform trend in convergence.

• HGGT showed the worst and slowest convergence, with the final highest accuracy of 0.929.

[See PDF for image]

Fig. 3

Convergence behavior of HGBO, HGTS, and HGGT models

[See PDF for image]

Fig. 4

Hyperparameter configuration of hybrid models

ROC curve evaluation

The Receiver Operating Characteristic (ROC) curve is an important tool for the assessment of classification models, as it graphically displays the relationship between the True Positive Rate (TPR) and the False Positive Rate (FPR) at different levels of thresholds. A good model is reflected by a curve that moves towards the upper left, which represents high values for both sensitivity and specificity.

Figure 5 displays the ROC curves of four models: HGBC, HGBO, HGTS, and HGGT.

• HGBO demonstrated the best classification performance, consistently achieving the highest TPR across most FPR values.

• HGTS followed a very close-to-path traced by HGBO and ranked just below it, denoting strong performance slightly below it.

• HGGT showed a moderate efficacy, with sporadic overlaps with HGTS and HGBO, but mostly lagging behind their performance.

• HGBC exhibited the weakest performance, producing the lowest TPR for any given FPR.

The Area Under the Curve (AUC) measure was utilized to examine the above observations and found the highest score to be by HGBO, followed by HGTS, HGGT, and HGBC. The observations validate the claim that the balance between the highest sensitivity and highest specificity is provided by HGBO through both visual analysis and quantitative analysis.

[See PDF for image]

Fig. 5

ROC curves for HGBC and hybrid models

Quantitative performance comparison

Table 3 summarizes the Accuracy, Precision, Recall, F1-score, and AUC for each model during the training and testing phases.

• HGBO outperformed all other models, achieving nearly identical training and testing metrics (~ 0.976), indicating excellent generalization.

• HGTS achieved strong results (~ 0.960), validating its consistency across data partitions.

• HGGT showed moderate accuracy (~ 0.930), with stable yet suboptimal performance.

• HGBC ranked lowest, with accuracy and precision around 0.914.

These results establish HGBO as the most resilient and accurate model, while HGTS offers a solid middle ground and HGGT outpaces HGBC but lacks robustness.

Table 3. Performance metrics of HGBC and hybrid models on train, test, and all data

Figure 6 presents the confusion matrices of the HGBC single model and hybrid counterparts, respectively, which provide a detailed overview of the classification performance for each class. Although the HGBC accurately classified a large number of samples in every class (e.g., 36,535 for SS, 38,911 for A, and 60,716 for S), some confusion was present, with considerable confusion between neighboring classes. By contrast, confusion matrices of HGBO, HGTS, and HGGT hybrid models reveal dramatic improvements in classification accuracy. Improvements of HGGT were less than those of the other two hybrid models. For HGBO, the correctly classified instances of SS, A, and S increased to 39,107, 41,484, and 64,795, respectively, and the misclassified figures in off-diagonal cells decreased considerably, indicating greater accuracy and lower false negatives and positives. Similarly, HGTS also performs well with high true positives (38,423 for SS, 40,846 for A, and 63,735 for S) and comparatively lower misclassification rates than the standalone HGBC model. These results confirm that hybrid models effectively improve discrimination power for all classes, reducing overlap and improving overall model reliability.

[See PDF for image]

Fig. 6

Confusion matrix for HGBC and Hybrid Models

Initialization of the undefined BOA parameters

Phase shift (cp.), extra-group mating chance (), stage probability (), short-term sub-group sizing aspect (), positive phase count (), negative phase count (), and probability of directional () were the two-phase conditions in the BO. The setup began as follows: The BO’s two-phase conditions are the following: positive phase count (), negative phase count (), phase change (), short-term sub-group sizing factor (tsgs factor), phase chance (), extra-group mating probability (), and probability of directed (). The setup began as follows:

1

The primary values of and were, respectively, f actor- initial and - initial.

The positive and negative phases

The illness progressed in two stages. It was calculated using phase possibility, which was established by either population diversity or alternative limitation.

The Bonobo selection using fission–fusion strategy

The BOA is described as a vast civilization that is briefly split up into smaller groups based on size. After a while, they return to their community. Initially, the maximum size of a temporary sub-group (referred to as ) is determined by the size of the whole population (). It is chosen in the following way as the greatest value between 2 and ():

2

Through trait exchange with the , the ability to produce a new bonobo is determined by the size factor of the transitory sub-group, . When the values are more than or equal to one, except for the ith-bonobo, the pth-bonobo is chosen at random from the whole population.

New Bonobo creation using various mating strategies

Four different mating strategies are employed by bonobos: consort ship, sexual activity, extra-group mating, and restrictive mating [71]. Bonobos employ social methods known as fission-fusion, which involve dispersing into smaller groups (fission) then reorganizing to perform specialized duties, such sharing a bed, through a range of activities (fusion) [72]. If the other random number () generated in the range of 0 to 1 is less than or equal to the chance of extra-group mating (), the outcome is modified using the extra-group mating approach described below:

Promiscuous and restrictive mating strategies

Using the alternative, the mating procedure is defined. The following is a new bonobo in Eq. (3):

3

) And () are the variables for the alpha bonobo and the new offspring, respectively. The alpha bonobo and the selected pth bonobo have participation scores of and scsb, respectively, whereas is a random number between and and is the range of 1 to all the components. Flags that indicate limited or sexually aberrant mating may have two values: or .

The strategies of consort ship and extra-group mating

The random creation of courtier ships and mating strategies according to stage () is represented by the extra mating possibility ().

4

5

6

7

8

9

10

Maximum and minimum border values are and , the random value is nonzero, and the influence of transformational leadership factors is and . The companion ship mating strategy produces more offspring when is greater than pxgm, as demonstrated in Eq. (11).

11

Variable boundary limiting conditions

To regulate pregnancy levels that beyond the limit, set upper and lower limits.

Offspring acceptance criteria

To restrict pregnancy levels that exceed the limit, provide minimum and maximum amounts. The worth of the new bonobo is determined by whether or not its fitness value is higher than that of the alpha and the bonobo it has supplanted in the general population.

Parameters’ updating

There are two instances. A new alpha bonobo in the current repeat is a better answer, and the variables are altered as follows in the first iteration compared to the previous one.

12

The alpha bonobo’s value stays the same from the previous iteration, while the other variables are modified in the way described below. The process of BOA is represented in the flowchart shown in Fig. 1-AII.

13

14

Here, and refer to the rate of phase probability change of rate and degree of phase change, respectively. The phase probability is initially assigned a neutral value of 0.5 so that there is an equal priority for both phases, but this probability dynamically changes during the iterations as per the behavior of the objective function and the optimization process. The maximum value of the temporary social group size factor () is specified by the user at the initial step, and the initial values of the extra-group mating probability () and the temporary sub-group size factor () are also calculated accordingly. That is, is calculated as half of . Moreover, if there is no improvement in the fitness of the alpha bonobo at an iteration, its corresponding parameters are updated adaptively based on pre-established rules to enhance the search capability of the algorithm and maintain diversity.

[See PDF for image]

Fig. 1-AII

The flowchart of the Bonobo model

Preventing collisions between candidate solutions

Initialization is required for the gravitational force , constant parameter , social force , deep ocean water flow advection , and maximum iteration count .

15

16

17

18

is the gravitational force, and is the water flow advection in the deep ocean. is the social interaction forces among search agents. and are set at and, respectively, while , , and are random numbers that fall between and .

Taking more steps towards the location of the best solution

The search agents are directed toward their closest neighbors after successfully avoiding conflicts with nearby entities.

19

represents the current iteration in progress, indicates the position of the tunicates, represents the cumulative distance between the search agent and the food source, rand is a random value falling between and , and indicates the location of the source of food.

Remaining close to the best solution

The search agent may even become the most prominent search agent by solidifying its position.

20

The search agent may even become the most prominent search agent by solidifying its position.

21

Here, the tunicate’s updated position presents . The process of TSA is represented in the flowchart shown in Fig. 2-AII.

[See PDF for image]

Fig. 2-AII

The flowchart of the TSA model

Exploration phase

A behavioral study of gorillas indicates that the primates typically live in groups under one silverback who leads them, although occasionally, people disperse and relocate to new areas. They encounter known and unknown gorillas. In GTO, each gorilla is a candidate solution, where the best-known solution in the population is the silverback. Each candidate gorilla’s (GX) is successively refreshed according to a given equation. A random parameter P, initially in the range [0, 1], governs the migration policy. If a random number is less than P, the gorilla migrates to an unfamiliar area; if the random value is greater than or equal to 0.5, it moves towards other gorillas; otherwise, it migrates to a familiar area by calling the third search mechanism.

22

Here, represents the position vector of an arbitrary candidate gorilla in the next iteration, while represents its current position. The values and specify the lower and upper limits of the decision variables. The expressions , , , are random numbers between [0, 1]. Furthermore, and represent the position vector of an arbitrary randomly selected gorilla. The constants , , and are computed according to specific equations to regulate the search behavior.

23

24

25

Where,

26

27

denotes the present iteration, and specifies the total allowable iterations. Additionally, is a random variable uniformly distributed in the range , and is randomly sampled from the interval .

Exploitation phase

The exploitation phase of the GTO algorithm exhibits two major behaviors: following the Silverback and Competing for Adult Females. In this phase, the silverback gorilla is the group leader, who makes all the decisions, chooses the direction of movement, and leads the group toward the food, and also safeguards the group from injury and keeps the group members together. All the other gorillas follow the orders of the silverback. But in the group, a blackback or other males may challenge and even take over the role of the silverback as it ages and weakens. In adult females, the algorithm applies either the Follow the Silverback or Competition mechanism, depending on the control parameter . Specifically, when , the gorillas will follow the silverback; otherwise, competition among adult females occurs.

• Following the silverback.

When they are young, the silverback and other gorillas perform their duties effectively, with the males following the leader quite easily. Each member is also able to sway others, as mathematically formulated below:

28

Here, is the position vector of silverback (optimal solution so far).

29

30

is the total number of gorillas and is each gorilla’s position vector at iteration .

• Competing for adult females.

A key maturity stage for young gorillas is competing with other males for females, often involving intense, multi-day rivalry that affects the whole group.

31

32

33

34

is the force effect and is a random variable in . is a coefficient vector that quantifies the severity of conflict in terms of a given parameter and . The parameter mimics the manner violence constrains the solution boundary through a threshold of : if , it is assigned random values based on the problem dimensions and a normal distribution; otherwise, has an arbitrary value within the normal distribution.

[See PDF for image]

Fig. 3-AII

The flowchart of the GTO model

Ethical approval

The research paper has received ethical approval from the institutional review board, ensuring the protection of participants’ rights and compliance with the relevant ethical guidelines.

Competing interests

The authors declare no competing interests.