Malware—short for malicious software—is software code written to damage or destroy computers or networks, or to provide unauthorized access to computers, networks or data for nefarious or criminal use. Some form of malware is at the root of almost every type of cyberattack.
Cybercriminals use malware to
The costs of malware-related attacks are enormous. Cybercrime Magazine reports that the global damage cost of just one type of malware—ransomware—was USD 20 billion in 2021, and will grow to USD 265 billion in 2031 (link resides outside of ibm.com).
Once upon a time, most malware threats were computer viruses—code that ‘infects’ one computer then spreads copies of itself to other computers. The first-ever computer virus, called Creeper, replicated itself until it crippled the computer by filling its hard drive (relatively quick work in 1971, when Creeper debuted). Subsequent viruses disabled computer systems by overwriting or corrupting operating system files, application files or the boot sectors of disks.
Today malware comes in many, many more types, each of which is continually evolving to do more serious damage to computers and networks, and to better evade detection and remediation by security tools and malware protection technologies. Below are brief descriptions of some of the most common types of malware in circulation today.
Ransomware is malware that locks a victim's device, or encrypts some or all of the victim’s data, and then demands a ransom payment—often in the form of cryptocurrency—to unlock the device, decrypt the data, or prevent the data from being stolen or shared. According to the 2022 X-Force Threat Intelligence Index (PDF, 4.1 MB) almost every ransomware incident that X-Force has responded to since 2019 involved ‘double extortion,’ threatening the victim with both data encryption and data theft. And ‘triple extortion’ ransomware incidents—threatening data encryption and theft, plus launch of a distributed denial of service or DDoS attack (see Botnets, below)—are on the rise.
The same report found that ransomware attacks represented 21 percent of all cyberattacks in 2021.
Ransomware victims and negotiators are reluctant to disclose ransom payment amounts. A global insurance company was reported to have made the largest known ransomware payment of USD 40 million in May of 2021 (link resides outside of IBM.com). Estimates of average payment amounts range USD 100,000–300,000 or more. But for many ransomware victims the ransom is the smallest cost. According to IBM’s Cost of a Data Breach report, the average cost of a ransomware attack, not including the ransom, was USD 4.54 million.
Server access malware
Server access malware gives attackers unauthorized access to web application servers. Often, server access malware is legitimate software, modified or misused for cyberattacks; some, ironically, was developed originally to demonstrate security vulnerabilities of a server or server operating system.
Types of server access malware include web shells, which enable attackers to take command of a web server via a web browser, and remote system administration programs, such as Back Orifice, which enables remote administration of a Microsoft Windows on a server or computer. Attackers use this type of malware for everything from defacing or crippling the victim’s web sites to stealing user credentials and other sensitive data. The 2022 X-Force Threat Intelligence Index reports that 11 percent of all cybersecurity incidents in 2021 were server access attacks.
Technically, botnets are not malware—they are created using malware. A botnet is a network of internet-connected, malware-infected devices—PCs, smartphones, Internet of Things (IoT) devices, and more. The malware creates a backdoor through which the hacker can control the devices, remotely. Hackers create botnets to launch distributed denial of service (DDoS) attacks—attacks that bombard a target network with so much fraudulent traffic that the network slows to a crawl or shuts down completely.
A cryptojacker is malware that takes remote control of a device and uses it to ‘mine’ cryptocurrency—an extremely compute-intensive and expensive task. (Essentially, cryptojackers create cryptomining botnets.) Cryptocurrencies pay rewards, usually in cryptocurrency, to people who provide computing power for mining. Cryptojacking enables cybercriminals to reap these rewards using other people’s devices.
Fileless malware is malware that operates in memory and injects malicious code or scripts into legitimate applications. Because it doesn’t leave a signature—a string of bytes characteristic to malware—fileless malware can’t be identified and removed with traditional antivirus software, but many of the latest next-generation antivirus (NGAV) solutions can catch it.
Other types of malware
Like malware itself, malware delivery methods or pathways, called vectors, are numerous and evolving. Tracking these tactics is critical to malware prevention, detection and response. Some of the most commonly-used malware vectors include:
Successful malware threat protection requires a comprehensive approach across the organization and participation at all levels—from security teams, to IT staff, to employees and business partners. User training, security policies and cybersecurity technologies all play a critical role.
Users are the first line of defense in an organization’s malware protection scheme. Today most organizations formally train users to behave in ways that minimize the risk of malware and other cybersecurity threats. Lessons include
Most end-user security training also instructs users on specific actions to take, including who to contact, in the event of an actual or suspected malware threat.
Security policies set IT standards for IT technologies and behavior to minimize or eliminate the risk of cybersecurity threats. These policies define things such as the type and strength of encryption for emails, the minimum length and content of passwords, and network access privileges.
Policies aimed specifically at preventing malware might proscribe
Modern cybersecurity technologies fall into two general categories.
Preventative security tools are designed to catch, isolate and eliminate known or identifiable cybersecurity threats. Many of these—antivirus software (including next-gen antivirus, or NGAV), anti-malware and malware removal software, firewalls, URL filters—are familiar to most users.
Detection and response technologies are enterprise security solutions that help security teams quickly identify and respond to malware and other threats that elude preventative tools. These solutions typically integrate with preventative security tools, threat intelligence feeds and other sources of security-related data. They identify indicators of malware and other cyberthreats—called indicators of compromise (IOCs)—using advanced analytics and AI. And they enable security teams to automate certain tasks, to speed incident response and limit or prevent resulting damage.
Some of the most commonly-used detection and response technologies include:
Zero trust describes an approach to cybersecurity that assumes that malware and other cyberattacks will successfully breach a network’s perimeter defenses, and consequently focuses on making it more difficult for attackers to move throughout the network and accomplish their goals once they’re ‘in.’ Cybersecurity measures related to a zero trust approach include (but are in no way limited to):
A zero-trust approach limits users strictly to the access they need to perform their roles, and requires renewed or additional verification whenever users request additional access. This can greatly diminish the impact of ransomware and other malware that penetrates the network and then lurks for months, attempting to gain increased access to data and other resources in preparation for an attack.
To prevent and combat modern ransomware threats, IBM uses insight from 800 TB of threat activity data, information on more than 17 million spam and phishing attacks and reputation data on nearly 1 million malicious IP addresses from a network of 270 million endpoints.
Proactive threat hunting, continuous monitoring and a deep investigation of threats are just a few of the priorities facing an already busy IT department. Having a trusted incident response team on standby can reduce your response time, minimize the impact of a cyberattack, and help you recover faster.
IBM Security® Managed Detection and Response is part of the industry’s broadest portfolio of MDR and IDPS solutions that manage the full threat management lifecycle.
Cyberattacks are unwelcome attempts to steal, expose, alter, disable or destroy information through unauthorized access to computer systems.
Ransomware holds victims' devices and data hostage until a ransom is paid. Learn how ransomware works, why it has proliferated in recent years, and how organizations defend against it.
Zero trust is a framework that assumes a complex network’s security is always at risk to external and internal threats. It helps organize and strategize a thorough approach to counter those threats.