Ransomware poses a severe threat to individuals and organizations, necessitating secure, reproducible behavioral analysis and defense evaluation methodologies. To address this, we propose the first air-gapped analysis framework integrating virtualization, Infrastructure-as-Code (Terraform), and cross-platform automation (Ansible/Python), enabling physically isolated, fully automated, OS-agnostic dynamic ransomware analysis. The framework supports democratized collaborative research while ensuring experimental safety and reproducibility. Leveraging it, we systematically analyze the encryption mechanisms and file-targeting strategies of five prevalent ransomware families—including WannaCry and LockBit—and empirically validate Ranflood’s effectiveness in intercepting three high-risk variants. Our work delivers an open-source, extensible, and reproducible experimental infrastructure for ransomware research, establishing a standardized foundation for rigorous, scalable, and verifiable security evaluation.

Ransomware poses a significant threat to individuals and organisations, compelling tools to investigate its behaviour and the effectiveness of mitigations. To answer this need, we present SAFARI, an open-source framework designed for safe and efficient ransomware analysis. SAFARI's design emphasises scalability, air-gapped security, and automation, democratising access to safe ransomware investigation tools and fostering collaborative efforts. SAFARI leverages virtualisation, Infrastructure-as-Code, and OS-agnostic task automation to create isolated environments for controlled ransomware execution and analysis. The framework enables researchers to profile ransomware behaviour and evaluate mitigation strategies through automated, reproducible experiments. We demonstrate SAFARI's capabilities by building a proof-of-concept implementation and using it to run two case studies. The first analyses five renowned ransomware strains (including WannaCry and LockBit) to identify their encryption patterns and file targeting strategies. The second evaluates Ranflood, a contrast tool which we use against three dangerous strains. Our results provide insights into ransomware behaviour and the effectiveness of countermeasures, showcasing SAFARI's potential to advance ransomware research and defence development.