Ransomware poses a significant threat to individuals and organisations, creating a need for tools to investigate its behaviour and the effectiveness of mitigations. To address this need, we present SAFARI, an open-source framework designed for safe and efficient ransomware analysis. SAFARI’s design emphasises scalability, air-gapped security, and automation, democratising access to safe ransomware investigation tools and fostering collaborative efforts. SAFARI leverages virtualisation, Infrastructure-as-Code, and OS-agnostic task automation to create isolated environments for controlled ransomware execution and analysis. The framework enables researchers to profile ransomware behaviour and evaluate mitigation strategies through automated, reproducible experiments. We demonstrate SAFARI’s capabilities by building a proof-of-concept implementation and using it to conduct two case studies: the first analyses seven ransomware strains – including WannaCry and LockBit – to identify their encryption patterns and file-targeting strategies; the second evaluates Ranflood, a countermeasure tool, against five dangerous strains. Our results provide insights into ransomware behaviour and the effectiveness of countermeasures, showcasing SAFARI’s potential to advance ransomware research and defence development.

Compagnucci, T., Giallorenzo, S., Melis, A., Melloni, S., Prandini, M., Vannini, A. (2026). SAFARI: A Scalable Air-gapped Framework for Automated Ransomware Investigation. COMPUTERS & SECURITY, 170, 1-27 [10.1016/j.cose.2026.105032].

SAFARI: A Scalable Air-gapped Framework for Automated Ransomware Investigation

Compagnucci, Tommaso;Giallorenzo, Saverio;Melis, Andrea;Prandini, Marco;Vannini, Alessandro
2026

Abstract

Ransomware poses a significant threat to individuals and organisations, creating a need for tools to investigate its behaviour and the effectiveness of mitigations. To address this need, we present SAFARI, an open-source framework designed for safe and efficient ransomware analysis. SAFARI’s design emphasises scalability, air-gapped security, and automation, democratising access to safe ransomware investigation tools and fostering collaborative efforts. SAFARI leverages virtualisation, Infrastructure-as-Code, and OS-agnostic task automation to create isolated environments for controlled ransomware execution and analysis. The framework enables researchers to profile ransomware behaviour and evaluate mitigation strategies through automated, reproducible experiments. We demonstrate SAFARI’s capabilities by building a proof-of-concept implementation and using it to conduct two case studies: the first analyses seven ransomware strains – including WannaCry and LockBit – to identify their encryption patterns and file-targeting strategies; the second evaluates Ranflood, a countermeasure tool, against five dangerous strains. Our results provide insights into ransomware behaviour and the effectiveness of countermeasures, showcasing SAFARI’s potential to advance ransomware research and defence development.
2026
Compagnucci, T., Giallorenzo, S., Melis, A., Melloni, S., Prandini, M., Vannini, A. (2026). SAFARI: A Scalable Air-gapped Framework for Automated Ransomware Investigation. COMPUTERS & SECURITY, 170, 1-27 [10.1016/j.cose.2026.105032].
Compagnucci, Tommaso; Giallorenzo, Saverio; Melis, Andrea; Melloni, Simone; Prandini, Marco; Vannini, Alessandro
File in questo prodotto:
Eventuali allegati, non sono esposti

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11585/1070090
 Attenzione

Attenzione! I dati visualizzati non sono stati sottoposti a validazione da parte dell'ateneo

Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus ND
  • ???jsp.display-item.citation.isi??? ND
  • OpenAlex ND
social impact