To address the growing prevalence of ransomware evasion attacks and the difficulty of detecting novel variants, this paper proposes Minerva—the first file-behavior-level ransomware detection system explicitly designed for evasion resistance. Methodologically, Minerva introduces (1) a novel adversarially robust file I/O sequence modeling framework, engineered from the ground up to withstand evasion attacks; (2) a lightweight temporal feature extraction module integrated with perturbation-resilient feature selection, enabling zero-shot generalization to unseen ransomware families; and (3) a low-latency streaming detection engine. Evaluated across diverse, realistic test sets, Minerva achieves >99% detection accuracy, identifies 99% of ransomware samples within ≤0.52 seconds, and triggers near-zero-overhead data loss prevention responses upon detection.

Ransomware attacks have caused billions of dollars in damages in recent years, and are expected to cause billions more in the future. Consequently, significant effort has been devoted to ransomware detection and mitigation. Behavioral-based ransomware detection approaches have garnered considerable attention recently. These behavioral detectors typically rely on process-based behavioral profiles to identify malicious behaviors. However, with an increasing body of literature highlighting the vulnerability of such approaches to evasion attacks, a comprehensive solution to the ransomware problem remains elusive. This paper presents Minerva, a novel, robust approach to ransomware detection. Minerva is engineered to be robust by design against evasion attacks, with architectural and feature selection choices informed by their resilience to adversarial manipulation. We conduct a comprehensive analysis of Minerva across a diverse spectrum of ransomware types, encompassing unseen ransomware as well as variants designed specifically to evade Minerva. Our evaluation showcases the ability of Minerva to accurately identify ransomware, generalize to unseen threats, and withstand evasion attacks. Furthermore, over 99% of detected ransomware are identified within 0.52sec of activity, enabling the adoption of data loss prevention techniques with near-zero overhead.