{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,1]],"date-time":"2026-04-01T16:14:11Z","timestamp":1775060051813,"version":"3.50.1"},"reference-count":52,"publisher":"Elsevier BV","license":[{"start":{"date-parts":[[2026,8,1]],"date-time":"2026-08-01T00:00:00Z","timestamp":1785542400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/tdm\/userlicense\/1.0\/"},{"start":{"date-parts":[[2026,8,1]],"date-time":"2026-08-01T00:00:00Z","timestamp":1785542400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/legal\/tdmrep-license"},{"start":{"date-parts":[[2026,8,1]],"date-time":"2026-08-01T00:00:00Z","timestamp":1785542400000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-017"},{"start":{"date-parts":[[2026,8,1]],"date-time":"2026-08-01T00:00:00Z","timestamp":1785542400000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"},{"start":{"date-parts":[[2026,8,1]],"date-time":"2026-08-01T00:00:00Z","timestamp":1785542400000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-012"},{"start":{"date-parts":[[2026,8,1]],"date-time":"2026-08-01T00:00:00Z","timestamp":1785542400000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2026,8,1]],"date-time":"2026-08-01T00:00:00Z","timestamp":1785542400000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-004"}],"content-domain":{"domain":["elsevier.com","sciencedirect.com"],"crossmark-restriction":true},"short-container-title":["Computers & Security"],"published-print":{"date-parts":[[2026,8]]},"DOI":"10.1016\/j.cose.2026.104909","type":"journal-article","created":{"date-parts":[[2026,3,26]],"date-time":"2026-03-26T00:54:59Z","timestamp":1774486499000},"page":"104909","update-policy":"https:\/\/doi.org\/10.1016\/elsevier_cm_policy","source":"Crossref","is-referenced-by-count":0,"special_numbering":"C","title":["RanDS: A large-Scale open dataset of raw binaries and extracted features for ransomware research"],"prefix":"10.1016","volume":"167","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-8380-2487","authenticated-orcid":false,"given":"Saleh","family":"Alzahrani","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8549-6794","authenticated-orcid":false,"given":"Yang","family":"Xiao","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7405-7646","authenticated-orcid":false,"given":"Sultan","family":"Asiri","sequence":"additional","affiliation":[]}],"member":"78","reference":[{"key":"10.1016\/j.cose.2026.104909_bib0001","unstructured":"Abuse.ch. Browse malware samples. Accessed: 2024-03-27. https:\/\/bazaar.abuse.ch\/browse."},{"key":"10.1016\/j.cose.2026.104909_bib0002","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2025.104626","article-title":"How informative are cybersecurity risk disclosures? empirical analysis of firms targeted by ransomware","volume":"159","author":"Adams","year":"2025","journal-title":"Comput. Secur."},{"key":"10.1016\/j.cose.2026.104909_bib0003","series-title":"2016 13Th International Iranian Society of Cryptology Conference on Information Security and Cryptology (ISCISC)","first-page":"79","article-title":"2EntFOX: a framework for high survivable ransomwares detection","author":"Ahmadian","year":"2016"},{"key":"10.1016\/j.cose.2026.104909_bib0004","doi-asserted-by":"crossref","first-page":"166","DOI":"10.1504\/IJSNET.2025.147642","article-title":"Enhancing intrusion detection through anomaly detection and integrated deep learning with tabtransformer","volume":"48","author":"Al-Harbi","year":"2025","journal-title":"Int. J. Sens. Netw."},{"key":"10.1016\/j.cose.2026.104909_bib0005","doi-asserted-by":"crossref","DOI":"10.3390\/s23094467","article-title":"E2e-RDS: Efficient end-to-end ransomware detection system based on static-based ML and vision-based DL approaches","volume":"23","author":"Almomani","year":"2023","journal-title":"Sensors"},{"key":"10.1016\/j.cose.2026.104909_bib0006","series-title":"2021 18Th International Conference on Privacy, Security and Trust (PST)","first-page":"1","article-title":"Api-based ransomware detection using machine learning-based threat detection models","author":"Almousa","year":"2021"},{"key":"10.1016\/j.cose.2026.104909_bib0007","series-title":"Proceedings of the 2023 ACM Southeast Conference","first-page":"39-46","article-title":"Conti ransomware development evaluation","author":"Alzahrani","year":"2023"},{"issue":"7","key":"10.1016\/j.cose.2026.104909_bib0008","article-title":"Ransomformer: a cross-modal transformer architecture for ransomware detection via the fusion of byte and API features","volume":"14","author":"Alzahrani","year":"2025","journal-title":"Electronics (Basel)"},{"key":"10.1016\/j.cose.2026.104909_bib0009","doi-asserted-by":"crossref","first-page":"57943","DOI":"10.1109\/ACCESS.2025.3556187","article-title":"A survey of ransomware detection methods","volume":"13","author":"Alzahrani","year":"2025","journal-title":"IEEE Access"},{"key":"10.1016\/j.cose.2026.104909_bib0010","doi-asserted-by":"crossref","first-page":"100178","DOI":"10.1109\/ACCESS.2022.3207757","article-title":"An analysis of conti ransomware leaked source codes","volume":"10","author":"Alzahrani","year":"2022","journal-title":"IEEE Access"},{"issue":"3","key":"10.1016\/j.cose.2026.104909_bib0011","article-title":"Hiper - early detection of a ransomware attack using hardware performance counters","volume":"4","author":"Anand","year":"2023","journal-title":"Digit. Threat."},{"key":"10.1016\/j.cose.2026.104909_bib0012","unstructured":"Anderson, H. S., Roth, P., 2018. EMBER: An Open Dataset for Training Static PE Malware Machine Learning Models. ArXiv e-prints arXiv: 1804.04637."},{"key":"10.1016\/j.cose.2026.104909_bib0013","series-title":"Research in Attacks, Intrusions, and Defenses","first-page":"382","article-title":"Heldroid: dissecting and detecting mobile ransomware","author":"Andronio","year":"2015"},{"key":"10.1016\/j.cose.2026.104909_bib0014","doi-asserted-by":"crossref","first-page":"144925","DOI":"10.1109\/ACCESS.2019.2945839","article-title":"A survey on detection techniques for cryptographic ransomware","volume":"7","author":"Berrueta","year":"2019","journal-title":"IEEE Access"},{"key":"10.1016\/j.cose.2026.104909_bib0015","unstructured":"Carrera, E.. Github - erocarrera\/pefile: pefile is a python module to read and work with PE (portable executable) files. Accessed: 2025-10-02. https:\/\/github.com\/erocarrera\/pefile."},{"key":"10.1016\/j.cose.2026.104909_bib0016","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2024.104293","article-title":"Ransoguard: a RNN-based framework leveraging pre-attack sensitive APIs for early ransomware detection","volume":"150","author":"Cen","year":"2025","journal-title":"Comput. Secur."},{"key":"10.1016\/j.cose.2026.104909_bib0017","unstructured":"CERT-EE. Github - cert-ee\/cuckoo3: Cuckoo3 is a python 3 open source automated malware analysis system. Accessed: 2025-09-30. https:\/\/github.com\/cert-ee\/cuckoo3."},{"key":"10.1016\/j.cose.2026.104909_bib0018","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2025.104583","article-title":"Ransomware dynamics: mitigating personal data exfiltration through the SCIRAS lens","volume":"157","author":"Cevallos-Salas","year":"2025","journal-title":"Comput. Secur."},{"key":"10.1016\/j.cose.2026.104909_bib0019","doi-asserted-by":"crossref","first-page":"167","DOI":"10.1504\/IJSNET.2021.117233","article-title":"An anomaly detection method based on feature mining for wireless sensornetworks","volume":"36","author":"Ding","year":"2021","journal-title":"Int. J. Sens. Netw."},{"key":"10.1016\/j.cose.2026.104909_bib0020","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2022.102659","article-title":"FeSA: feature selection architecture for ransomware detection under concept drift","volume":"116","author":"Fernando","year":"2022","journal-title":"Comput. Secur."},{"key":"10.1016\/j.cose.2026.104909_bib0021","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2023.103629","article-title":"FeSAD ransomware detection framework with machine learning using adaption to concept drift","volume":"137","author":"Fernando","year":"2024","journal-title":"Comput. Secur."},{"key":"10.1016\/j.cose.2026.104909_bib0022","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2024.104167","article-title":"Zero day ransomware detection with pulse: function classification with transformer models and assembly language","volume":"148","author":"Gaber","year":"2025","journal-title":"Comput. Secur."},{"key":"10.1016\/j.cose.2026.104909_bib0023","doi-asserted-by":"crossref","first-page":"77","DOI":"10.1007\/s11416-008-0092-2","article-title":"Comparative analysis of various ransomware virii","volume":"6","author":"Gazet","year":"2010","journal-title":"J. Comput. Virol."},{"key":"10.1016\/j.cose.2026.104909_bib0024","article-title":"The emergence of ransomware","author":"Giri","year":"2006","journal-title":"Auckland, New Zealand: AVAR"},{"key":"10.1016\/j.cose.2026.104909_bib0025","unstructured":"Harang, R. E., Rudd, E. M., 2020. SOREL-20M: A Large Scale Benchmark Dataset for Malicious PE Detection. CoRR abs\/2012.07634. arXiv: 2012.07634."},{"key":"10.1016\/j.cose.2026.104909_bib0026","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2024.104202","article-title":"RanSMAP: open dataset of ransomware storage and memory access patterns for creating deep learning based ransomware detectors","volume":"150","author":"Hirano","year":"2025","journal-title":"Comput. Secur."},{"key":"10.1016\/j.cose.2026.104909_bib0027","unstructured":"Joyce, R. J., Raff, E., Nicholas, C., Holt, J., 2023. MalDICT: Benchmark Datasets on Malware Behaviors, Platforms, Exploitation, and Packers. arXiv: 2310.11706."},{"key":"10.1016\/j.cose.2026.104909_bib0028","unstructured":"kh4sh3i. Small collection of ransomware organized by family. Accessed: 2024-04-23. https:\/\/github.com\/kh4sh3i\/Ransomware-Samples."},{"issue":"19","key":"10.1016\/j.cose.2026.104909_bib0029","article-title":"Dwarf mongoose optimization with machine-learning-driven ransomware detection in internet of things environment","volume":"12","author":"Khalid","year":"2022","journal-title":"Appl. Sci."},{"key":"10.1016\/j.cose.2026.104909_bib0030","doi-asserted-by":"crossref","first-page":"119710","DOI":"10.1109\/ACCESS.2020.3003785","article-title":"A digital DNA sequencing engine for ransomware detection using machine learning","volume":"8","author":"Khan","year":"2020","journal-title":"IEEE Access"},{"key":"10.1016\/j.cose.2026.104909_bib0031","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2025.104340","article-title":"How to decrypt files encrypted by rhysida ransomware without the attacker\u2019s private key","volume":"151","author":"Kim","year":"2025","journal-title":"Comput. Secur."},{"key":"10.1016\/j.cose.2026.104909_bib0032","unstructured":"Lee, A.. The portable freeware collection. Accessed: 2024-03-27. https:\/\/portablefreeware.com."},{"key":"10.1016\/j.cose.2026.104909_bib0033","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2024.103752","article-title":"Ts-mal: malware detection model using temporal and structural features learning","volume":"140","author":"Li","year":"2024","journal-title":"Comput. Secur."},{"issue":"2","key":"10.1016\/j.cose.2026.104909_bib0034","doi-asserted-by":"crossref","first-page":"40","DOI":"10.1109\/MSP.2007.48","article-title":"Using entropy analysis to find encrypted and packed malware","volume":"5","author":"Lyda","year":"2007","journal-title":"IEEE Secur. Privacy"},{"key":"10.1016\/j.cose.2026.104909_bib0035","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2023.103265","article-title":"Improving ransomware detection based on portable executable header using xception convolutional neural network","volume":"130","author":"Moreira","year":"2023","journal-title":"Comput. Secur."},{"key":"10.1016\/j.cose.2026.104909_bib0036","unstructured":"Ninite. Ninite - install or update multiple apps at once. Accessed: 2024-03-27. https:\/\/ninite.com."},{"issue":"8","key":"10.1016\/j.cose.2026.104909_bib0037","doi-asserted-by":"crossref","first-page":"74","DOI":"10.1145\/3582489","article-title":"A tale of two markets: investigating the ransomware payments economy","volume":"66","author":"Oosthoek","year":"2023","journal-title":"Commun. ACM"},{"key":"10.1016\/j.cose.2026.104909_bib0038","unstructured":"O\u2019Reilly, K. Github - kevoreilly\/CAPEv2: Malware configuration and payload extraction. Accessed: 2025-09-30. https:\/\/github.com\/kevoreilly\/CAPEv2."},{"key":"10.1016\/j.cose.2026.104909_bib0039","unstructured":"PortableApps.com. Portable software for USB, portable, and cloud drives. Accessed: 2024-03-27. https:\/\/portableapps.com."},{"key":"10.1016\/j.cose.2026.104909_bib0040","unstructured":"Portapps, I.. Portapps - applications. Accessed: 2024-03-27. https:\/\/portapps.io."},{"key":"10.1016\/j.cose.2026.104909_bib0041","unstructured":"Ryan Kelly, D. M.. Github - pyenchant\/pyenchant: spellchecking library for python. Accessed: 2025-10-02. https:\/\/github.com\/pyenchant\/pyenchant."},{"key":"10.1016\/j.cose.2026.104909_bib0042","series-title":"2016IEEE 36Th International Conference on Distributed Computing Systems (ICDCS)","first-page":"303","article-title":"Cryptolock (and drop it): stopping ransomware attacks on user data","author":"Scaife","year":"2016"},{"key":"10.1016\/j.cose.2026.104909_bib0043","doi-asserted-by":"crossref","first-page":"61","DOI":"10.1504\/IJSNET.2024.141771","article-title":"Machine learning-based fault detection scheme for iot-enabled WSNs","volume":"46","author":"Shakunt","year":"2024","journal-title":"Int. J. Sens. Netw."},{"key":"10.1016\/j.cose.2026.104909_bib0044","doi-asserted-by":"crossref","first-page":"36","DOI":"10.1504\/IJSNET.2021.115440","article-title":"Cnn-based anomaly detection for packet payloads ofindustrial control system","volume":"36","author":"Song","year":"2021","journal-title":"Int. J. Sens. Netw."},{"issue":"4","key":"10.1016\/j.cose.2026.104909_bib0045","doi-asserted-by":"crossref","first-page":"259","DOI":"10.1007\/s11416-011-0153-9","article-title":"Comparing files using structural entropy","volume":"7","author":"Sorokin","year":"2011","journal-title":"J. Comput. Virol."},{"key":"10.1016\/j.cose.2026.104909_bib0046","series-title":"Technical Report 2022","article-title":"Crypto Crime Trends for 2022: Illicit Transaction Activity Reaches All-Time High in Value, All-Time Low in Share of All Cryptocurrency Activity","year":"2022"},{"key":"10.1016\/j.cose.2026.104909_bib0047","unstructured":"underground, vx., vx-underground. Accessed: 2024-04-23. https:\/\/vx-underground.org\/Samples."},{"key":"10.1016\/j.cose.2026.104909_bib0048","unstructured":"VirusShare, 2023. Virusshare malware samples. Accessed: 2023-10-22. https:\/\/virusshare.com."},{"key":"10.1016\/j.cose.2026.104909_bib0049","unstructured":"VirusTotal. Virustotal - home. Accessed: 2024-03-27. https:\/\/www.virustotal.com."},{"key":"10.1016\/j.cose.2026.104909_bib0050","unstructured":"Weber, N.. Github - nico\/demumble: A better c++filt and a better undname.exe, in one binary. Accessed: 2025-10-02. https:\/\/github.com\/nico\/demumble."},{"key":"10.1016\/j.cose.2026.104909_bib0051","series-title":"Proceedings 1996IEEE Symposium on Security and Privacy","first-page":"129","article-title":"Cryptovirology: extortion-based security threats and countermeasures","author":"Young","year":"1996"},{"key":"10.1016\/j.cose.2026.104909_bib0052","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2021.102388","article-title":"Avaddon ransomware: an in-depth analysis and decryption of infected systems","volume":"109","author":"Yuste","year":"2021","journal-title":"Comput. Secur."}],"container-title":["Computers & Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0167404826000854?httpAccept=text\/xml","content-type":"text\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0167404826000854?httpAccept=text\/plain","content-type":"text\/plain","content-version":"vor","intended-application":"text-mining"}],"deposited":{"date-parts":[[2026,4,1]],"date-time":"2026-04-01T14:26:52Z","timestamp":1775053612000},"score":1,"resource":{"primary":{"URL":"https:\/\/linkinghub.elsevier.com\/retrieve\/pii\/S0167404826000854"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,8]]},"references-count":52,"alternative-id":["S0167404826000854"],"URL":"https:\/\/doi.org\/10.1016\/j.cose.2026.104909","relation":{},"ISSN":["0167-4048"],"issn-type":[{"value":"0167-4048","type":"print"}],"subject":[],"published":{"date-parts":[[2026,8]]},"assertion":[{"value":"Elsevier","name":"publisher","label":"This article is maintained by"},{"value":"RanDS: A large-Scale open dataset of raw binaries and extracted features for ransomware research","name":"articletitle","label":"Article Title"},{"value":"Computers & Security","name":"journaltitle","label":"Journal Title"},{"value":"https:\/\/doi.org\/10.1016\/j.cose.2026.104909","name":"articlelink","label":"CrossRef DOI link to publisher maintained version"},{"value":"article","name":"content_type","label":"Content Type"},{"value":"\u00a9 2026 Elsevier Ltd. All rights are reserved, including those for text and data mining, AI training, and similar technologies.","name":"copyright","label":"Copyright"}],"article-number":"104909"}}