Cybercriminals use advanced techniques to launch an attack against organizations, which causes disruption of normal business activities. The traditional signature-based malware detection methods are not effective in the detection of ransomware. Therefore, the use of machine learning and deep learning for malware detection is becoming a major area of research. There are two types of malware detection strategies, namely, static and dynamic. This work investigates the task-dependent effectiveness of static PE header-based detection by systematically evaluating three binary classification problems of increasing difficulty: ransomware vs. benign, malware vs. benign, and ransomware vs. other malware families. An end-to-end machine learning pipeline is implemented, including dataset-specific preprocessing, class imbalance handling, model training, and evaluation using imbalance-aware metrics. Random Forest, Support Vector Machine, and XGBoost models are assessed across all tasks, with SHAP used to analyze feature contribution and explain performance degradation. The experimental results demonstrate that tree-based ensemble models, particularly XGBoost, achieve strong detection performance when class boundaries are structurally distinct, but they struggle when ransomware must be distinguished from structurally similar malware. The results indicate that static analysis based on PE header features can be a viable approach for pre-execution triage, but they exhibit clear limitations for fine-grained ransomware discrimination.
Barnes et al. (Wed,) studied this question.