Ransomware’s rapid evolution and high variant diversity pose severe challenges to conventional detection methods in terms of early identification, generalizability, and response latency. To address these issues, we propose a low-latency, adaptive runtime detection framework. First, it constructs fine-grained behavioral representations by fusing hardware performance counters (HPCs). Second, it introduces a contrastive learning objective specifically designed for early detection, coupled with a customized loss function. Third, it employs neural architecture search (NAS) to automatically optimize model topology. Crucially, the framework eliminates reliance on handcrafted features or prior ransomware samples, thereby significantly enhancing zero-day variant detection capability. Extensive experiments demonstrate that our approach achieves up to 16.1% higher detection accuracy than state-of-the-art methods, reduces average response latency by 6×, and maintains strong robustness against diverse evasion attacks.

Ransomware has become a critical threat to cybersecurity due to its rapid evolution, the necessity for early detection, and growing diversity, posing significant challenges to traditional detection methods. While AI-based approaches had been proposed by prior works to assist ransomware detection, existing methods suffer from three major limitations, ad-hoc feature dependencies, delayed response, and limited adaptability to unseen variants. In this paper, we propose a framework that integrates self-supervised contrastive learning with neural architecture search (NAS) to address these challenges. Specifically, this paper offers three important contributions. (1) We design a contrastive learning framework that incorporates hardware performance counters (HPC) to analyze the runtime behavior of target ransomware. (2) We introduce a customized loss function that encourages early-stage detection of malicious activity, and significantly reduces the detection latency. (3) We deploy a neural architecture search (NAS) framework to automatically construct adaptive model architectures, allowing the detector to flexibly align with unseen ransomware variants. Experimental results show that our proposed method achieves significant improvements in both detection accuracy (up to 16.1%) and response time (up to 6x) compared to existing approaches while maintaining robustness under evasive attacks.