An apparatus in one embodiment comprises a security appliance having a processor coupled to a memory. The security appliance is associated with at least one storage device and comprises a ransomware detector configured to generate a detection score for one or more sets of files stored in the storage device. The ransomware detector comprises a file analyzer configured to compare characteristics relating to a current state of the files with information stored in a file history database, and a detection score generator having a weighting module for applying weights to respective comparison results from the file analyzer in generating the detection score for the one or more sets of files. The ransomware detector is further configured to generate an alert if the detection score for the one or more sets of files exceeds a specified threshold. The alert may be transmitted by the security appliance to a network security system.