What is malware?

Almost every modern cyberattack involves some type of malware. These malicious programs can take many forms, ranging from highly damaging and costly ransomware to merely annoying adware, depending on what cybercriminals aim to do.

Cybercriminals develop and use malware to:

• Hold devices, data or entire enterprise networks hostage for large sums of money.
  
  
• Gain unauthorized access to sensitive data or digital assets.
  
  
• Steal login credentials, credit card numbers, intellectual property or other valuable information.
  
  
• Disrupt critical systems that businesses and government agencies rely on.

There are billions of malware attacks every year, and malware infections can happen on any device or operating system. Windows, Mac, iOS and Android systems can all fall victim.

Increasingly, malware attacks target businesses rather than individual users as hackers have learned that it's more lucrative to go after organizations. Companies often hold significant amounts of personal data, and the hackers exploit this fact to extort large sums of money from them. The hackers can use this personal data for identity theft or sell it on the dark web.

Cybercrime is a massive industry. According to one estimate, it would be the world’s third-largest economy behind the US and China, projected to cost 10.5 trillion USD by 2025.

Within this industry, hackers constantly develop new strains of malware with new features and functionality. These individual malware strains spawn new variants over time to better evade security software. It is estimated that more than 1 billion different malware strains and variants have been created since the 1980s, making it difficult for cybersecurity professionals to keep up.

Hackers often share their malware by making the code open source or selling it to other criminals. Malware-as-a-service arrangements are prevalent among ransomware developers, so that even criminals with little technical expertise can reap the rewards of cybercrime.

While the landscape is always shifting, malware strains can be categorized into a few common types.

The terms "malware" and "computer virus" are often used as synonyms, but a virus is technically a particular kind of malware. Specifically, a virus is malicious code that hijacks legitimate software to do damage and spread copies of itself.

Viruses can't act on their own. Instead, they hide snippets of their code in other executable programs. When a user starts the program, the virus begins running, too. Viruses are usually designed to delete important data, disrupt normal operations, and spread copies of themselves to other programs on the infected computer.

Most of the earliest malware threats were viruses. Elk Cloner, perhaps the first malware to spread through public devices, was a virus that targeted Apple computers.

Ransomware locks up a victim's devices or data and demands a ransom payment, usually in the form of cryptocurrency, to unlock them. According to IBM's X-Force Threat Intelligence Index, ransomware is the second most common type of cyberattack, accounting for 17% of attacks.

The most basic ransomware attacks render assets unusable until the ransom is paid, but cybercriminals may use additional tactics to increase the pressure on victims.

In a double extortion attack, cybercriminals steal data and threaten to leak it if they're not paid. In a triple extortion attack, hackers encrypt the victim's data, steal it, and threaten to take systems offline through a distributed denial-of-service (DDoS) attack.

Ransom demands can range from tens of thousands to millions of US dollars. According to one report, the average ransom payment is USD 812,360. Even if victims don't pay, ransomware is costly. IBM's Cost of a Data Breach report found the average ransomware attack costs USD 4.38 million with law enforcement involved to USD 5.37 million without law enforcement, these cost figures not including the ransom itself.

Hackers use remote access malware to gain access to computers, servers or other devices by creating or exploiting backdoors. According to the X-Force Threat Intelligence Index, planting backdoors is the most common objective for hackers, accounting for 21% of attacks.

Backdoors allow cybercriminals to do a lot. They can steal data or credentials, take control of a device, or install even more dangerous malware like ransomware. Some hackers use remote access malware to create backdoors they can sell to other hackers, which can fetch several thousand US dollars each.

Some remote access malware, like Back Orifice or CrossRAT, is intentionally crafted for malicious purposes. Hackers can also modify or misuse legitimate software to remotely access a device. In particular, cybercriminals use stolen credentials for Microsoft remote desktop protocol (RDP) as backdoors.

A botnet is a network of internet-connected, malware-infected devices under a hacker's control. Botnets can include PCs, mobile devices, Internet of Things (IoT) devices, and more. Victims often don't notice when their devices are part of a botnet. Hackers often use botnets to launch DDoS attacks, which bombard a target network with so much traffic that it slows to a crawl or shuts down completely.

Mirai, one of the most well-known botnets, was responsible for a massive 2016 attack against the Domain Name System provider Dyn. This attack took down popular websites like Twitter and Reddit for millions of users in the US and Europe.

A cryptojacker is a malware that takes control of a device and uses it to mine cryptocurrency, like bitcoin, without the owner's knowledge. Essentially, cryptojackers create cryptomining botnets.

Mining cryptocurrency is an extremely compute-intensive and expensive task. Cybercriminals profit while users of infected computers experience performance slowdowns and crashes. Cryptojackers often target enterprise cloud infrastructure, allowing them to marshal more resources for cryptomining than targeting individual computers.

Fileless malware is a kind of attack that uses vulnerabilities in legitimate software programs like web browsers and word processors to inject malicious code directly into a computer's memory. Since the code runs in memory, it leaves no traces on the hard drive. Because it uses legitimate software, it often evades detection.

Many fileless malware attacks use PowerShell, a command line interface and scripting tool built into the Microsoft Windows operating system. Hackers can run PowerShell scripts to change configurations, steal passwords, or do other damage.

Malicious macros are another common vector for fileless attacks. Apps like Microsoft Word and Excel allow users to define macros, sets of commands that automate simple tasks like formatting text or performing calculations. Hackers can store malicious scripts in these macros; when a user opens the file, those scripts automatically execute.

Worms are self-replicating malicious programs that can spread between apps and devices without human interaction. (Compare to a virus, which can only spread if a user runs a compromised program.) While some worms do nothing more than spread, many have more severe consequences. For example, the WannaCry ransomware, which caused an estimated USD 4 billion in damages, was a worm that maximized its impact by automatically spreading between connected devices.

Trojan horses disguise themselves as useful programs or hide within legitimate software to trick users into installing them. A remote access Trojan or "RAT" creates a secret backdoor on the infected device. Another type of Trojan called a "dropper," installs additional malware once it has a foothold. Ryuk, one of the most devastating recent ransomware strains, used the Emotet Trojan to infect devices.

Rootkits are malware packages that allow hackers to gain privileged, administrator-level access to a computer's operating system or other assets. Hackers can then use these elevated permissions to do virtually anything they want, like adding and removing users or reconfiguring apps. Hackers often use rootkits to hide malicious processes or disable security software that might catch them.

Scareware frightens users into downloading malware or passing sensitive information to a fraudster. Scareware often appears as a sudden pop-up with an urgent message, usually warning the user that they've broken the law or their device has a virus. The pop-up directs the user to pay a "fine" or download fake security software that turns out to be actual malware.

Spyware hides on an infected computer, secretly gathering sensitive information and transmitting it back to an attacker. One common type of spyware, called a keylogger, records all of a user's keystrokes, allowing hackers to harvest usernames, passwords, bank account and credit card numbers, Social Security numbers and other sensitive data.

Adware spams a device with unwanted pop-up ads. Adware is often included with free software, unbeknownst to the user. When the user installs the program, they unwittingly install the adware, too. Most adware is little more than an annoyance. However, some adware harvest personal data, redirect web browsers to malicious websites or even download more malware onto the user's device if they click one of the pop-ups.

A malware attack has two components: the malware payload and the attack vector. The payload is the malicious code that the hackers want to plant, and the attack vector is the method used to deliver the payload is to its target.

Some of the most common malware vectors include:

Some malware infections, like ransomware, announce themselves. However, most try to stay out of sight as they wreak havoc. Still, malware infections often leave behind signs that cybersecurity teams can use to identify them. These signs include:

Performance declines: Malware programs use the infected computer's resources to run, often eating up storage space and disrupting legitimate processes. The IT support team may notice an influx of tickets from users whose devices are slowing down, crashing or flooded with pop-ups.

New and unexpected network activity: IT and security staff may notice strange patterns, such as processes using more bandwidth than normal, devices communicating with unknown servers or user accounts accessing assets they don't usually use.

Changed configurations: Some malware strains alter device configurations or disable security solutions to avoid detection. IT and security teams may notice that, for example, firewall rules have changed or an account's privileges have been elevated.

Security event alerts: For organizations with threat detection solutions in place, the first sign of a malware infection is likely to be a security event alert. Solutions like intrusion detection systems (IDS), security information and event management (SIEM) platforms and antivirus software can flag potential malware activity for the incident response team to review.

Malware attacks are inevitable, but there are steps organizations can take to strengthen their defenses. These steps include:

Security awareness training: Many malware infections result from users downloading fake software or falling for phishing scams. Security awareness training can help users spot social engineering attacks, malicious websites and fake apps. Security awareness training can also educate users on what to do and who to contact if they suspect a malware threat.

Security policies: Requiring strong passwords, multi-factor authentication and VPNs when accessing sensitive assets over unsecured wifi can help limit hackers' access to users' accounts. Instituting a regular schedule for patch management, vulnerability assessments and penetration testing can also help catch software and device vulnerabilities before cybercriminals exploit them. Policies for managing BYOD (bring your own device) devices and preventing shadow IT can help prevent users from unknowingly bringing malware onto the corporate network.

Backups: Maintaining updated backups of sensitive data and system images, ideally on hard drives or other devices that can be disconnected from the network, can make it easier to recover from malware attacks.

Zero trust network architecture: Zero trust is an approach to network security in which users are never trusted and always verified. In particular, zero trust implements the principle of least privilege, network microsegmentation and continuous adaptive authentication. This implementation helps to make sure that no user or device can access sensitive data or assets they shouldn't. If malware gets onto the network, these controls can limit its lateral movement.

Incident response plans: Creating incident response plans for different types of malware ahead of time can help cybersecurity teams eradicate malware infections more quickly.

In addition to the manual tactics outlined earlier, cybersecurity teams can use security solutions to automate aspects of malware removal, detection and prevention. Common tools include:

Antivirus software: Also called "anti-malware" software, antivirus programs scan systems for signs of infections. In addition to alerting users, many antivirus programs can automatically isolate and remove malware upon detection.

Firewalls: Firewalls can block some malicious traffic from reaching the network in the first place. If malware does make it onto a network device, firewalls can help thwart outgoing communications to hackers, like a keylogger sending keystrokes back to the attacker.

Security information and event management (SIEM) platforms: SIEMs collect information from internal security tools, aggregate it in a central log and flag anomalies. Because SIEMs centralize alerts from multiple sources, they can make it easier to spot subtle signs of malware.

Security orchestration, automation and response (SOAR) platforms: SOARs integrate and coordinate disparate security tools, enabling security teams to create semi- or fully automated playbooks for responding to malware in real-time.

Endpoint detection and response (EDR) platforms: EDRs monitor endpoint devices, like smartphones, laptops and servers, for signs of suspicious activity, and they can automatically respond to detected malware.

Extended detection and response (XDR) platforms: XDRs integrate security tools and operations across all security layers, users, endpoints, email, applications, networks, cloud workloads and data. XDRs can help automate complex malware prevention, detection, investigation and response processes, including proactive threat hunting.

Attack surface management (ASM) tools: ASM tools continuously discover, analyze, remediate and monitor all assets in an organization's network. ASM can be useful in helping cybersecurity teams catch unauthorized shadow IT apps and devices that may carry malware.

Unified endpoint management (UEM): UEM software monitors, manages and secures all of an organization's end-user devices, including desktops, laptops and mobile devices. Many organizations use UEM solutions to help ensure employees' BYOD devices don't bring malware into the corporate network.