{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,13]],"date-time":"2026-07-13T18:04:30Z","timestamp":1783965870595,"version":"3.55.0"},"reference-count":68,"publisher":"Elsevier BV","license":[{"start":{"date-parts":[[2026,11,1]],"date-time":"2026-11-01T00:00:00Z","timestamp":1793491200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/tdm\/userlicense\/1.0\/"},{"start":{"date-parts":[[2026,11,1]],"date-time":"2026-11-01T00:00:00Z","timestamp":1793491200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/legal\/tdmrep-license"},{"start":{"date-parts":[[2026,6,29]],"date-time":"2026-06-29T00:00:00Z","timestamp":1782691200000},"content-version":"vor","delay-in-days":0,"URL":"http:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100005969","name":"Universit\u00e0 di Bologna","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100005969","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100021015","name":"Agenzia Regionale per la Prevenzione, l'Ambiente e l'Energia dell'Emilia Romagna","doi-asserted-by":"publisher","id":[{"id":"10.13039\/100021015","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100009879","name":"Regione Emilia-Romagna","doi-asserted-by":"publisher","award":["E37G22000490007"],"award-info":[{"award-number":["E37G22000490007"]}],"id":[{"id":"10.13039\/501100009879","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["elsevier.com","sciencedirect.com"],"crossmark-restriction":true},"short-container-title":["Computers &amp; Security"],"published-print":{"date-parts":[[2026,11]]},"DOI":"10.1016\/j.cose.2026.105032","type":"journal-article","created":{"date-parts":[[2026,6,29]],"date-time":"2026-06-29T16:05:05Z","timestamp":1782749105000},"page":"105032","update-policy":"https:\/\/doi.org\/10.1016\/elsevier_cm_policy","source":"Crossref","is-referenced-by-count":0,"special_numbering":"C","title":["SAFARI: A Scalable Air-gapped Framework for Automated Ransomware Investigation"],"prefix":"10.1016","volume":"170","author":[{"given":"Tommaso","family":"Compagnucci","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3658-6395","authenticated-orcid":false,"given":"Saverio","family":"Giallorenzo","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0101-2551","authenticated-orcid":false,"given":"Andrea","family":"Melis","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9535-8747","authenticated-orcid":false,"given":"Simone","family":"Melloni","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3962-5513","authenticated-orcid":false,"given":"Marco","family":"Prandini","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Alessandro","family":"Vannini","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"78","reference":[{"issue":"1","key":"10.1016\/j.cose.2026.105032_b1","doi-asserted-by":"crossref","first-page":"189","DOI":"10.3390\/s24010189","article-title":"Android ransomware detection using supervised machine learning techniques based on traffic analysis","volume":"24","author":"Ahmed","year":"2024","journal-title":"Sensors"},{"key":"10.1016\/j.cose.2026.105032_b2","doi-asserted-by":"crossref","first-page":"144","DOI":"10.1016\/j.cose.2018.01.001","article-title":"Ransomware threat success factors, taxonomy, and countermeasures: A survey and research directions","volume":"74","author":"Al-rimy","year":"2018","journal-title":"Comput. Secur."},{"key":"10.1016\/j.cose.2026.105032_b3","series-title":"AWS Cloud Development Kit (CDK) documentation","author":"Amazon Web Services","year":"2024"},{"key":"10.1016\/j.cose.2026.105032_b4","series-title":"AWS CloudFormation user guide","author":"Amazon Web Services","year":"2024"},{"key":"10.1016\/j.cose.2026.105032_b5","series-title":"2020 International Conference on Cyber Security and Protection of Digital Services","first-page":"1","article-title":"Memory forensics against ransomware","author":"Bajpai","year":"2020"},{"key":"10.1016\/j.cose.2026.105032_b6","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2021.102490","article-title":"Ransomware: Recent advances, analysis, challenges and future research directions","volume":"111","author":"Beaman","year":"2021","journal-title":"Comput. Secur."},{"key":"10.1016\/j.cose.2026.105032_b7","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2023.103295","article-title":"Data flooding against ransomware: Concepts and implementations","author":"Berardi","year":"2023","journal-title":"Comput. Secur."},{"key":"10.1016\/j.cose.2026.105032_b8","doi-asserted-by":"crossref","DOI":"10.1016\/j.softx.2023.101605","article-title":"Ranflood: A mitigation tool based on the principles of data flooding against ransomware","volume":"25","author":"Berardi","year":"2024","journal-title":"SoftwareX"},{"issue":"6","key":"10.1016\/j.cose.2026.105032_b9","doi-asserted-by":"crossref","first-page":"158","DOI":"10.1007\/s10664-025-10713-2","article-title":"Investigating operational technology attacks as code","volume":"30","author":"Callegati","year":"2025","journal-title":"Empir. Softw. Eng."},{"key":"10.1016\/j.cose.2026.105032_b10","series-title":"2024 Crypto crime mid-year update part 1: Cybercrime climbs as stolen funds surge","author":"Chainalysis Team","year":"2024"},{"key":"10.1016\/j.cose.2026.105032_b11","series-title":"Ransomware payments exceed $1 billion in 2023, hitting record high after 2022 decline","author":"Chainalysis Team","year":"2024"},{"key":"10.1016\/j.cose.2026.105032_b12","doi-asserted-by":"crossref","first-page":"1839","DOI":"10.1007\/s10207-024-00819-x","article-title":"Real-time system call-based ransomware detection","volume":"23","author":"Chew","year":"2024","journal-title":"Int. J. Inf. Secur."},{"key":"10.1016\/j.cose.2026.105032_b13","series-title":"ICT Systems Security and Privacy Protection - 40th IFIP International Conference, SEC 2025, Maribor, Slovenia, May 21-23, 2025, Proceedings, Part I","first-page":"210","article-title":"SAFARI: A scalable air-gapped framework for automated ransomware investigation","volume":"vol. 745","author":"Compagnucci","year":"2025"},{"key":"10.1016\/j.cose.2026.105032_b14","article-title":"Reducing ransomware crime: Analysis of victims\u2019 payment decisions","volume":"119","author":"Connolly","year":"2022","journal-title":"Comput. Secur."},{"key":"10.1016\/j.cose.2026.105032_b15","series-title":"Proceedings of the 32nd Annual Conference on Computer Security Applications","first-page":"336","article-title":"ShieldFS: a self-healing, ransomware-aware filesystem","author":"Continella","year":"2016"},{"issue":"1","key":"10.1016\/j.cose.2026.105032_b16","doi-asserted-by":"crossref","first-page":"75","DOI":"10.1186\/s42400-024-00287-9","article-title":"Enabling per-file data recovery from ransomware attacks via file system forensics and flash translation layer data extraction","volume":"7","author":"Dafoe","year":"2024","journal-title":"Cybersecurity"},{"key":"10.1016\/j.cose.2026.105032_b17","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2025.104315","article-title":"SCASS: Breaking into SCADA systems security","volume":"151","author":"d\u2019Ambrosio","year":"2025","journal-title":"Comput. Secur."},{"key":"10.1016\/j.cose.2026.105032_b18","article-title":"Evaluation of live forensic techniques in ransomware attack mitigation","volume":"33","author":"Davies","year":"2020","journal-title":"Forensic Sci. Int.: Digit. Investig."},{"issue":"12","key":"10.1016\/j.cose.2026.105032_b19","first-page":"11553","article-title":"Digital twins for anomaly detection in the industrial internet of things: Conceptual architecture and proof-of-concept","volume":"19","author":"De Benedictis","year":"2023","journal-title":"IEEE TII"},{"key":"10.1016\/j.cose.2026.105032_b20","series-title":"Uncovering the Secrets of System Administration: Proceedings of the 24th Large Installation System Administration Conference, LISA 2010, San Jose, CA, USA, November 7-12, 2010","article-title":"A survey of system configuration tools","author":"Delaet","year":"2010"},{"key":"10.1016\/j.cose.2026.105032_b21","series-title":"ICT Systems Security and Privacy Protection - 37th IFIP TC 11 International Conference, SEC 2022, Copenhagen, Denmark, June 13-15, 2022, Proceedings","first-page":"53","article-title":"DAEMON: Dynamic auto-encoders for contextualised anomaly detection applied to security monitoring","author":"Dey","year":"2022"},{"key":"10.1016\/j.cose.2026.105032_b22","series-title":"2025 IC3 annual report","author":"Federal Bureau of Investigation","year":"2026"},{"issue":"11","key":"10.1016\/j.cose.2026.105032_b23","doi-asserted-by":"crossref","first-page":"1129","DOI":"10.1002\/spe.4380211102","article-title":"Graph drawing by force-directed placement","volume":"21","author":"Fruchterman","year":"1991","journal-title":"Softw. Pract. Exp."},{"key":"10.1016\/j.cose.2026.105032_b24","article-title":"XRan: Explainable deep learning-based ransomware detection using dynamic analysis","volume":"138","author":"Gulmez","year":"2024","journal-title":"Comput. Secur."},{"key":"10.1016\/j.cose.2026.105032_b25","series-title":"Python in Science Conference","doi-asserted-by":"crossref","DOI":"10.25080\/TCWV9851","article-title":"Exploring network structure, dynamics, and function using NetworkX","author":"Hagberg","year":"2008"},{"key":"10.1016\/j.cose.2026.105032_b26","series-title":"Windows 10 Troubleshooting","first-page":"449","article-title":"Windows 10 file structure in depth","author":"Halsey","year":"2016"},{"key":"10.1016\/j.cose.2026.105032_b27","series-title":"Terraform documentation","author":"HashiCorp","year":"2024"},{"issue":"3","key":"10.1016\/j.cose.2026.105032_b28","article-title":"An economic analysis of ransomware and its welfare consequences","volume":"7","author":"Hernandez-Castro","year":"2020","journal-title":"RSOS"},{"key":"10.1016\/j.cose.2026.105032_b29","series-title":"SSCC","first-page":"1","article-title":"Pandora: A cyber range environment for the safe testing and deployment of autonomous cyber attack tools","author":"Jiang","year":"2021"},{"key":"10.1016\/j.cose.2026.105032_b30","doi-asserted-by":"crossref","DOI":"10.1016\/j.compeleceng.2022.108061","article-title":"An electric power digital twin for cyber security testing, research and education","volume":"101","author":"Kandasamy","year":"2022","journal-title":"Comput. Electr. Eng."},{"key":"10.1016\/j.cose.2026.105032_b31","series-title":"Ransomware attacks and types","author":"Kaspersky","year":"2021"},{"key":"10.1016\/j.cose.2026.105032_b32","series-title":"USENIX Security Symposium","first-page":"757","article-title":"UNVEIL: A large-scale, automated approach to detecting ransomware","author":"Kharraz","year":"2016"},{"key":"10.1016\/j.cose.2026.105032_b33","series-title":"Research in Attacks, Intrusions, and Defenses","first-page":"98","article-title":"Redemption: Real-time protection against ransomware at end-hosts","author":"Kharraz","year":"2017"},{"key":"10.1016\/j.cose.2026.105032_b34","series-title":"Detection of Intrusions and Malware, and Vulnerability Assessment","first-page":"3","article-title":"Cutting the gordian knot: A look under the hood of ransomware attacks","author":"Kharraz","year":"2015"},{"key":"10.1016\/j.cose.2026.105032_b35","series-title":"Data exfiltration ransomware attacks","author":"Kroll","year":"2021"},{"key":"10.1016\/j.cose.2026.105032_b36","doi-asserted-by":"crossref","first-page":"7557","DOI":"10.1007\/s11227-023-05741-y","article-title":"ARdetector: android ransomware detection framework","volume":"80","author":"Li","year":"2024","journal-title":"J. Supercomput."},{"key":"10.1016\/j.cose.2026.105032_b37","series-title":"Ransomware: Defending Against Digital Extortion","author":"Liska","year":"2016"},{"issue":"6","key":"10.1016\/j.cose.2026.105032_b38","first-page":"31","article-title":"Detecting cyber attacks through measurements: Learnings from a cyber range","volume":"25","author":"Mahmoud","year":"2022","journal-title":"IEEE IMM"},{"key":"10.1016\/j.cose.2026.105032_b39","doi-asserted-by":"crossref","DOI":"10.1007\/s40860-019-00080-3","article-title":"Systematic literature review and metadata analysis of ransomware attacks and detection mechanisms","volume":"5","author":"Maigida","year":"2019","journal-title":"J. Reliab. Intell. Environ."},{"issue":"3","key":"10.1016\/j.cose.2026.105032_b40","doi-asserted-by":"crossref","first-page":"371","DOI":"10.1109\/TSE.2010.60","article-title":"An attack surface metric","volume":"37","author":"Manadhata","year":"2011","journal-title":"IEEE Trans. Softw. Eng."},{"issue":"2","key":"10.1016\/j.cose.2026.105032_b41","doi-asserted-by":"crossref","first-page":"689","DOI":"10.1007\/s10270-022-01075-0","article-title":"Securing critical infrastructures with a cybersecurity digital twin","volume":"22","author":"Masi","year":"2023","journal-title":"Softw. Syst. Model."},{"key":"10.1016\/j.cose.2026.105032_b42","series-title":"Neural Information Processing","first-page":"217","article-title":"Large scale behavioral analysis of ransomware attacks","author":"McIntosh","year":"2018"},{"key":"10.1016\/j.cose.2026.105032_b43","article-title":"Ransomware reloaded: Re-examining its trend, research and mitigation in the era of data exfiltration","author":"McIntosh","year":"2024","journal-title":"ACM Comput. Surv."},{"issue":"9","key":"10.1016\/j.cose.2026.105032_b44","doi-asserted-by":"crossref","DOI":"10.1145\/3479393","article-title":"Ransomware mitigation in the modern era: A comprehensive review, research challenges, and future directions","volume":"54","author":"McIntosh","year":"2021","journal-title":"ACM Comput. Surv."},{"key":"10.1016\/j.cose.2026.105032_b45","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2020.101762","article-title":"The Ransomware-as-a-Service economy within the darknet","volume":"92","author":"Meland","year":"2020","journal-title":"Comput. Secur."},{"key":"10.1016\/j.cose.2026.105032_b46","series-title":"APWG eCrime","first-page":"1","article-title":"Ransomware: How attacker\u2019s effort, victim characteristics and context influence ransom requested, payment and financial loss","author":"Meurs","year":"2022"},{"key":"10.1016\/j.cose.2026.105032_b47","series-title":"Azure resource manager documentation","author":"Microsoft","year":"2024"},{"key":"10.1016\/j.cose.2026.105032_b48","series-title":"Bicep documentation","author":"Microsoft","year":"2024"},{"key":"10.1016\/j.cose.2026.105032_b49","series-title":"MITRE Caldera: Automated adversary emulation platform","author":"MITRE Corporation","year":"2024"},{"key":"10.1016\/j.cose.2026.105032_b50","article-title":"A comprehensive analysis combining structural features for detection of new ransomware families","volume":"81","author":"Moreira","year":"2024","journal-title":"J. Inf. Secur. Appl."},{"key":"10.1016\/j.cose.2026.105032_b51","series-title":"OpenWrt","author":"OpenWrt Team","year":"2024"},{"issue":"11s","key":"10.1016\/j.cose.2026.105032_b52","doi-asserted-by":"crossref","DOI":"10.1145\/3514229","article-title":"A survey on ransomware: Evolution, taxonomy, and defense solutions","volume":"54","author":"Oz","year":"2022","journal-title":"ACM Comput. Surv."},{"key":"10.1016\/j.cose.2026.105032_b53","first-page":"671","article-title":"Digital twin for cybersecurity incident prediction: A multivocal literature review","author":"Pokhrel","year":"2020"},{"key":"10.1016\/j.cose.2026.105032_b54","series-title":"Chef Infra: Infrastructure automation documentation","author":"Progress Chef","year":"2024"},{"key":"10.1016\/j.cose.2026.105032_b55","series-title":"Pulumi documentation","author":"Pulumi Corporation","year":"2024"},{"key":"10.1016\/j.cose.2026.105032_b56","series-title":"Puppet infrastructure automation documentation","author":"Puppet, Inc.","year":"2024"},{"key":"10.1016\/j.cose.2026.105032_b57","series-title":"Ansible collaborative documentation","author":"Red Hat, Inc.","year":"2024"},{"issue":"1","key":"10.1016\/j.cose.2026.105032_b58","first-page":"10","article-title":"Ransomware: Evolution, mitigation and prevention","volume":"13","author":"Richardson","year":"2017","journal-title":"Int. Manag. Rev."},{"key":"10.1016\/j.cose.2026.105032_b59","series-title":"IEEE S&P","first-page":"65","article-title":"Prudent practices for designing malware experiments: Status quo and outlook","author":"Rossow","year":"2012"},{"key":"10.1016\/j.cose.2026.105032_b60","series-title":"IEEE ICDCS","first-page":"303","article-title":"CryptoLock (and drop it): Stopping ransomware attacks on user data","author":"Scaife","year":"2016"},{"key":"10.1016\/j.cose.2026.105032_b61","series-title":"2018 10th International Conference on Communication Systems & Networks","first-page":"356","article-title":"RansomWall: A layered defense system against cryptographic ransomware attacks using machine learning","author":"Shaukat","year":"2018"},{"key":"10.1016\/j.cose.2026.105032_b62","series-title":"Fabric: Simple, pythonic remote execution and deployment","author":"Stauffer","year":"2024"},{"key":"10.1016\/j.cose.2026.105032_b63","series-title":"Crossplane documentation","author":"The Crossplane Authors","year":"2024"},{"key":"10.1016\/j.cose.2026.105032_b64","series-title":"OpenTofu documentation","author":"The OpenTofu Project","year":"2024"},{"key":"10.1016\/j.cose.2026.105032_b65","series-title":"2018 IEEE Cybersecurity Development, SecDev 2018, Cambridge, MA, USA, September 30 - October 2, 2018","first-page":"110","article-title":"BP: Profiling vulnerabilities on the attack surface","author":"Theisen","year":"2018"},{"key":"10.1016\/j.cose.2026.105032_b66","series-title":"Salt Project: Event-driven automation and configuration management","author":"VMware, Inc.","year":"2024"},{"key":"10.1016\/j.cose.2026.105032_b67","article-title":"GuardFS: A file system for integrated detection and mitigation of Linux-based ransomware","volume":"93","author":"von der Assen","year":"2025","journal-title":"J. Inf. Secur. Appl."},{"key":"10.1016\/j.cose.2026.105032_b68","doi-asserted-by":"crossref","first-page":"6113","DOI":"10.1109\/TIFS.2024.3410511","article-title":"Ranker: Early ransomware detection through kernel-level behavioral analysis","volume":"19","author":"Zhang","year":"2024","journal-title":"IEEE Trans. Inf. Forensics Secur."}],"container-title":["Computers &amp; Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0167404826002087?httpAccept=text\/xml","content-type":"text\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0167404826002087?httpAccept=text\/plain","content-type":"text\/plain","content-version":"vor","intended-application":"text-mining"}],"deposited":{"date-parts":[[2026,7,13]],"date-time":"2026-07-13T17:12:19Z","timestamp":1783962739000},"score":1,"resource":{"primary":{"URL":"https:\/\/linkinghub.elsevier.com\/retrieve\/pii\/S0167404826002087"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,11]]},"references-count":68,"alternative-id":["S0167404826002087"],"URL":"https:\/\/doi.org\/10.1016\/j.cose.2026.105032","relation":{},"ISSN":["0167-4048"],"issn-type":[{"value":"0167-4048","type":"print"}],"subject":[],"published":{"date-parts":[[2026,11]]},"assertion":[{"value":"Elsevier","name":"publisher","label":"This article is maintained by"},{"value":"SAFARI: A Scalable Air-gapped Framework for Automated Ransomware Investigation","name":"articletitle","label":"Article Title"},{"value":"Computers & Security","name":"journaltitle","label":"Journal Title"},{"value":"https:\/\/doi.org\/10.1016\/j.cose.2026.105032","name":"articlelink","label":"CrossRef DOI link to publisher maintained version"},{"value":"article","name":"content_type","label":"Content Type"},{"value":"\u00a9 2026 The Authors. Published by Elsevier Ltd.","name":"copyright","label":"Copyright"}],"article-number":"105032"}}