Ransomware is malware that encrypts a victim's files and demands payment, typically in cryptocurrencies, to restore access. The global spread of ransomware attacks underscores the need for automatic detection systems. Signature‐based antivirus tools cannot identify novel ransomware strains, while machine learning (ML) and deep learning (DL) models offer promise because they learn data patterns and generalize to new unseen samples. However, the choice of model architecture remains an open question: do classical ML methods suffice or do DL methods bring a considerable performance increase for static malware analysis? In this paper, we benchmark three classic algorithms (Logistic Regression, Random Forest and XGBoost) and two deep architectures (Multi‑Layer Perceptron and TabNet) on the Windows Portable Executable (PE) ransomware detection dataset from Kaggle. We perform comprehensive data preprocessing, 5‑fold stratified cross‑validation, and compute performance metrics like accuracy, precision, recall, F1 score, area under the ROC curve (AUC), and Matthews correlation coefficient (MCC). We further examine the feature importance, plot receiver operating characteristic (ROC) curves, and discuss the computational expense and interpretability of each method. Our experiments show that tree ensemble methods (Random Forest and XGBoost) achieve near‑perfect detection with very low false positives and negatives, outperforming Logistic Regression and MLP. Deep models offer no significant advantages for this tabular data set but with higher computational expense. We discuss the implications of these results for ransomware defense in practice and propose directions for future research.
Wadho et al. (Wed,) studied this question.