What is malware?

Learn the most common forms of malware and the measures organizations take to protect against malware and malware-driven cyberattacks.

two engineers working on computer leadspace

What is malware?

Malware—short for malicious software—is software code written to damage or destroy computers or networks, or to provide unauthorized access to computers, networks or data for nefarious or criminal use. Some form of malware is at the root of almost every type of cyberattack.

Cybercriminals use malware to

  • Hold users and organizations hostage for large sums of money
  • Take unauthorized remote control of other people’s computers or servers
  • Steal sensitive data—individuals’ bank account and Social Security numbers, corporations’ intellectual property, and more—for identity theft, competitive advantage and other fraudulent uses
  • Launch crippling attacks on systems that run businesses, government agencies, public utilities or other institutions

The costs of malware-related attacks are enormous. Cybercrime Magazine reports that the global damage cost of just one type of malware—ransomware—was USD 20 billion in 2021, and will grow to USD 265 billion in 2031 (link resides outside of ibm.com).

Types of malware

Once upon a time, most malware threats were computer viruses—code that ‘infects’ one computer then spreads copies of itself to other computers. The first-ever computer virus, called Creeper, replicated itself until it crippled the computer by filling its hard drive (relatively quick work in 1971, when Creeper debuted). Subsequent viruses disabled computer systems by overwriting or corrupting operating system files, application files or the boot sectors of disks.

Today malware comes in many, many more types, each of which is continually evolving to do more serious damage to computers and networks, and to better evade detection and remediation by security tools and malware protection technologies. Below are brief descriptions of some of the most common types of malware in circulation today.


Ransomware is malware that locks a victim's device, or encrypts some or all of the victim’s data, and then demands a ransom payment—often in the form of cryptocurrency—to unlock the device, decrypt the data, or prevent the data from being stolen or shared. According to the 2022 X-Force Threat Intelligence Index (PDF, 4.1 MB) almost every ransomware incident that X-Force has responded to since 2019 involved ‘double extortion,’ threatening the victim with both data encryption and data theft. And ‘triple extortion’ ransomware incidents—threatening data encryption and theft, plus launch of a distributed denial of service or DDoS attack (see Botnets, below)—are on the rise.

The same report found that ransomware attacks represented 21 percent of all cyberattacks in 2021.

Ransomware victims and negotiators are reluctant to disclose ransom payment amounts. A global insurance company was reported to have made the largest known ransomware payment of $40 million in May of 2021 (link resides outside of IBM.com). Estimates of average payment amounts range from the $100,000s to the $300,000s. But for many ransomware victims the ransom is the smallest cost. According to IBM’s Cost of a Data Breach 2021 report, the average cost of a ransomware attack, not including the ransom, was $4.62 million.

Server access malware

Server access malware gives attackers unauthorized access to web application servers. Often, server access malware is legitimate software, modified or misused for cyberattacks; some, ironically, was developed originally to demonstrate security vulnerabilities of a server or server operating system.

Types of server access malware include web shells, which enable attackers to take command of a web server via a web browser, and remote system administration programs, such as Back Orifice, which enables remote administration of a Microsoft Windows on a server or computer. Attackers use this type of malware for everything from defacing or crippling the victim’s web sites to stealing user credentials and other sensitive data. The 2022 X-Force Threat Intelligence Index reports that 11 percent of all cybersecurity incidents in 2021 were server access attacks.


Technically, botnets are not malware—they are created using malware. A botnet is a network of internet-connected, malware-infected devices—PCs, smartphones, Internet of Things (IoT) devices, and more. The malware creates a backdoor through which the hacker can control the devices, remotely. Hackers create botnets to launch distributed denial of service (DDoS) attacks—attacks that bombard a target network with so much fraudulent traffic that the network slows to a crawl or shuts down completely.


A cryptojacker is malware that takes remote control of a device and uses it to ‘mine’ cryptocurrency—an extremely compute-intensive and expensive task. (Essentially, cryptojackers create cryptomining botnets.) Cryptocurrencies pay rewards, usually in cryptocurrency, to people who provide computing power for mining. Cryptojacking enables cybercriminals to reap these rewards using other people’s devices.

Fileless malware

Fileless malware is malware that operates in memory and injects malicious code or scripts into legitimate applications. Because it doesn’t leave a signature—a string of bytes characteristic to malware—fileless malware can’t be identified and removed with traditional antivirus software, but many of the latest next-generation antivirus (NGAV) solutions can catch it.

Other types of malware

  • Worms are malicious code that replicates and spreads itself without human interaction. (Compare to a virus, which typically has to be opened by an unwitting user before it can duplicate and spread itself.)
  • Trojans, named after the Trojan Horse of mythology, are a type of malicious code that disguises itself as—or hides within—legitimate software and then runs whenever the user runs the legitimate software.
  • Rootkits are malware packages that gain unauthorized, privileged access to a computer’s operating system or other assets, and that use that access, or other software, to ‘hide’ and avoid detection. (The malware takes its name from the ‘root’ account, the privileged access admin account on Linux or Unix systems.) Rootkits can reconfigure the operating system and other software on the system - including security software that might identify and remove the rootkit.
  • Scareware tries to frighten users into making poor choices—downloading malware, passing personal or sensitive information to a fraudster—typically by falsely warning users that they’ve broken the law or, ironically, been infected by a virus. Scareware often takes the form of an on-screen pop-up that’s difficult to close without shutting down the web browser.
  • Spyware is just what it sounds like—malware that hides on the infected computer, gathers private or sensitive information, and transmits it back to the attacker. One type of spyware, called a keylogger, can gain access to a user’s usernames, passwords, bank account and credit card numbers, Social Security number and other extremely sensitive information by recording the user’s keystrokes.
  • Adware displays unwanted, annoying pop-ups and online ads to users while they try to use their web browsers. Most adware is attached to free software—when users download and install the software, they install the adware, too. Most adware is little more than an annoyance that otherwise doesn’t harm the target computer or network. But one class of adware, called malvertising, uses online ads to inject malicious code into online ads and advertising networks.

Malware vectors: How malware attacks happen

Like malware itself, malware delivery methods or pathways,  called vectors, are numerous and evolving. Tracking these tactics is critical to malware prevention, detection and response. Some of the most commonly-used malware vectors include:

  • Phishing scams and other social engineering tactics: Phishing messages—sent via email, SMS messaging or text messaging apps—are designed to manipulate users into downloading a malicious email attachment, or visiting a malicious web site that passes malware to the user’s computer or mobile device without the user’s knowledge. Phishing messages are often crafted to look like they come from a trusted brand or indivdual, and they typically try to evoke fear (‘We’ve found 9 viruses on your phone!’), greed (‘You have an unclaimed payment waiting for you!’) or urgency (‘You’re running out of time to claim your free gift’) to get users to take the desired action. It's a powerful combination, and phishing is the most common vector for delivering ransomware and other malware attacks.
  • System or device vulnerabilities: Cybercriminals are constantly searching for unpatched vulnerabilities in software, devices and networks that allow them to inject malware into the target’s software or firmware. IoT devices—many of which a sold and deployed with minimal or no security—are a huge and fertile field for cybercriminals sowing malware.
  • Removable media: Users can’t resist the temptation to use ‘found’ USB drives, and cybercriminals are happy to take advantage by leaving malware-laden thumb drives where users might find them. One recent study found that 37% of known cyberthreats are designed to exploit removable media (link resides outside of ibm.com); another traced 9% of security incidents in January, 2022 to USB drives and other removable media (link resides outside of ibm.com).
  • File-sharing: File-sharing networks—particularly those where users share illegal copies of videos or games—are notorious playgrounds for cybercriminals who embed malware payloads in popular downloads or torrents. But malware can also be embedded in seemingly legitimate software downloads, particularly free ones.

Malware prevention, detection and response

Successful malware threat protection requires a comprehensive approach across the organization and participation at all levels—from security teams, to IT staff, to employees and business partners. User training, security policies and cybersecurity technologies all play a critical role.

User training

Users are the first line of defense in an organization’s malware protection scheme. Today most organizations formally train users to behave in ways that minimize the risk of malware and other cybersecurity threats. Lessons include

  • Basics guidelines—e.g., ‘don’t open email attachments you weren’t expecting’, ‘don’t download software not explicitly authorized for use by the IT department.’
  • Myth busting—e.g., ‘yes, you still need to be vigilant about malware if you use an Apple Mac, Apple iOS or Google Android device’
  • Proper password hygiene—e.g., not using the same or similar passwords for multiple logins
  • Sophisticated techniques—e.g,. tips for identifying phishing emails that appear to be legitimate messages sent by trusted brands, or by executives at the target’s own corporation.

Most end-user security training also instructs users on specific actions to take, including who to contact, in the event of an actual or suspected malware threat.

Security policies

Security policies set IT standards for IT technologies and behavior to minimize or eliminate the risk of cybersecurity threats. These policies define things such as the type and strength of encryption for emails, the minimum length and content of passwords, and network access privileges.

Policies aimed specifically at preventing malware might proscribe

  • Restrictions or outright bans on the use of USB drives or other removable file storage devices.
  • A formal permission process for downloading application software not authorized by the IT department.
  • The frequency with which applications and security software should be updated or patched.

Cybersecurity technologies

Modern cybersecurity technologies fall into two general categories.

Preventative security tools are designed to catch, isolate and eliminate known or identifiable cybersecurity threats. Many of these—antivirus software (including next-gen antivirus, or NGAV), anti-malware and malware removal software, firewalls, URL filters—are familiar to most users.

Detection and response technologies are enterprise security solutions that help security teams quickly identify and respond to malware and other threats that elude preventative tools. These solutions typically integrate with preventative security tools, threat intelligence feeds and other sources of security-related data. They identify indicators of malware and other cyberthreats—called indicators of compromise (IOCs)—using advanced analytics and AI. And they enable security teams to automate certain tasks, to speed incident response and limit or prevent resulting damage.

Some of the most commonly-used detection and response technologies include:

  • SOAR (security orchestration, automation and response). SOAR integrates and coordinates disparate security tools, enabling security teams to create semi- or fully-automated ‘playbooks’ for responding to potential or actual threats.
  • EDR (endpoint detection and response). EDR collects data continuously from all endpoints on the network, including desktop and laptop computers, servers, mobile devices, IOT devices and more. It correlates and analyzes the data in real time for evidence of known threats or suspicious behaviors.
  • XDR (extended detection and response). An emerging technology, XDR integrates security tools across an organization’s entire hybrid IT infrastructure—not just endpoints but networks, email, applications, cloud workloads and more—to interoperate and coordinate on cyberthreat prevention, detection and response. 

Fighting malware with a zero trust approach

Zero trust describes an approach to cybersecurity that assumes that malware and other cyberattacks will successfully breach a network’s perimeter defenses, and consequently focuses on making it more difficult for attackers to move throughout the network and accomplish their goals once they’re ‘in.’ Cybersecurity measures related to a zero trust approach include (but are in no way limited to):

  • A policy of least-privileged access for user and administrative accounts;
  • Microsegmentation, which involves dividing the network into subsegments with granular, least privileged access to each;
  • Multi-factor authentication, which users to verify identity using at least one other authentication factor in addition to a password, or at least two other identification factors instead of a password;
  • Adaptive authentication, which requires users to provide additional authentication factors based on different risks associated with different requests—e.g., accessing particularly sensitive data, or logging in to the network from a different location or using a different device.

A zero-trust approach limits users strictly to the access they need to perform their roles, and requires renewed or additional verification whenever users request additional access. This can greatly diminish the impact of ransomware and other malware that penetrates the network and then lurks for months, attempting to gain increased access to data and other resources in preparation for an attack.