Existing ransomware detection methods struggle to handle the complexity and variability of evolving ransomware families when relying solely on static, heuristic, or behavioral analysis. This work proposes the first multimodal, multi-agent collaborative detection framework that integrates static, dynamic, and network-based features. Specialized agents extract heterogeneous features, which are then fused by a dedicated fusion agent and fed into a Transformer-based classifier for ransomware family identification. The framework incorporates a confidence-aware abstention mechanism and an adaptive feedback loop to iteratively refine feature representations. Experimental results on large-scale datasets demonstrate a Macro-F1 score of 0.936, significantly reduced calibration error, an agent quality improvement exceeding 0.75, and an overall composite score of approximately 0.88—all achieved without fine-tuning any language model.

Ransomware has become one of the most serious cybersecurity threats causing major financial losses and operational disruptions worldwide.Traditional detection methods such as static analysis, heuristic scanning and behavioral analysis often fall short when used alone. To address these limitations, this paper presents multimodal multi agent ransomware analysis framework designed for ransomware classification. Proposed multimodal multiagent architecture combines information from static, dynamic and network sources. Each data type is handled by specialized agent that uses auto encoder based feature extraction. These representations are then integrated through a fusion agent. After that fused representation are used by transformer based classifier. It identifies the specific ransomware family. The agents interact through an interagent feedback mechanism that iteratively refines feature representations by suppressing low confidence information. The framework was evaluated on large scale datasets containing thousands of ransomware and benign samples. Multiple experiments were conducted on ransomware dataset. It outperforms single modality and nonadaptive fusion baseline achieving improvement of up to 0.936 in Macro-F1 for family classification and reducing calibration error. Over 100 epochs, the agentic feedback loop displays a stable monotonic convergence leading to over +0.75 absolute improvement in terms of agent quality and a final composite score of around 0.88 without fine tuning of the language models. Zeroday ransomware detection remains family dependent on polymorphism and modality disruptions. Confidence aware abstention enables reliable real world deployment by favoring conservativeand trustworthy decisions over forced classification. The findings indicate that proposed approach provides a practical andeffective path toward improving real world ransomware defense systems.