If a malware attack is successful, it can result in lost revenue, unexpected down time, stolen data, and more costly consequences.
With over 450,000 new malicious programs registered each day by independent IT security institute AV-Test, malware may be the biggest threat to your organization.
There are many different types of malware and attackers are continually innovating more complex, harder-to-detect versions. Now is the time to take proactive steps to protect your organization.
What Is Malware?
Malware is any malicious code, software, or script deployed by a threat actor to wreak havoc on an organization or individual. Malware is usually found attached to emails, embedded in fraudulent links, hidden in ads, or lying in wait on various sites that you (or your employees) might visit. The end goal of malware is to harm or exploit computers and networks, often to steal data or money.
All it takes is one wrong click by one employee for the malware to install itself and begin to execute its program. The rate of malware attacks continues to increase, the costs associated continue to climb, and the threat vectors and attack types continue to grow in variety and complexity. For example, ransomware-as-a-service (RaaS) has opened new malware attack avenues to cybercriminals who lack the technical expertise of seasoned professionals. Not to mention, more organizations are utilizing IoT devices and increasing digitization, which means supply chain attacks are bound to increase.
What Are the Most Common Types of Malware Attacks?
1. Adware
Adware — commonly called “spam” — is unwanted or malicious advertising installed on an endpoint. While relatively harmless, it can be irritating, as adware can hamper your computer’s performance. In addition, these ads may lead users to download more harmful types of malware inadvertently through clicking on links in the malicious ads. To defend against adware, make sure you keep your operating system, web browser, and email client updated so they can block known adware attacks before they are able to download and install.
2. Fileless Malware
Unlike traditional malware, which uses executable files to infect devices, fileless malware doesn’t directly impact files or the file system. Instead, this type of malware uses non-file objects like Microsoft Office macros, PowerShell, WMI, and other system tools. And this type is on the rise. According to recent research, there was a 1,400% increase in fileless malware attacks in 2023 over the previous year.
Because there’s no executable file, it is difficult for antivirus software to protect against fileless malware. The best way to limit what fileless malware can do is to limit users’ credentials. Employing multi-factor authentication (MFA) on all devices and utilizing the principle of zero trust — where every user is held to the same scrutiny when trying to access a system, program, or asset — are two other strong ways to limit the possible attack surface.
3. Viruses
A virus infects other programs and can spread to other systems, in addition to performing its own malicious acts. A virus is attached to a file and is executed once the file is launched. The virus will then encrypt, corrupt, delete, or move your data and files. Viruses will often be attached to phishing emails and lead to larger attacks like business email compromise (BEC).
An enterprise-level antivirus solution can help you protect all your devices from viruses from a single location while maintaining central control and visibility. Make sure that you run full scans frequently and keep your antivirus definitions up to date. In addition, utilizing security awareness training can help users identify malicious-looking files, especially if they arrive through phishing emails.
A Brief History of the Computer Virus
The idea of self-replicating computer viruses was first posited by computer scientist John von Neumann in 1966. It would take only five years for the prediction to come true. Dubbed “Creeper”, the world’s first computer virus was developed by Bob Thomas. It was designed to, well, creep along the ARPANET, an early form of computer network that was one of the foundational technologies that would give rise to the Internet. “Creeper” was benign, something it doesn’t have in common with its malicious offspring.
4. Worms
Like a virus, a worm can duplicate itself in other devices or systems. Unlike viruses, worms do not need human action to spread once they are in a network or system. Worms often attack a computer’s memory or hard drive. Vulnerability management is the key to protecting yourself against worms, so a priority should be ensuring that every device is updated with the latest available patches. Technology like firewalls and email filtering can also help you detect files or links that may contain a worm.
5. Trojans
A Trojan program — like its namesake horse found in Greek mythology — pretends to be innocuous, but it is in fact malicious. A Trojan can’t spread by itself like a virus or worm, but instead must be executed by its victim, often through social engineering tactics such as phishing. Trojans rely on social engineering to spread, which puts the burden of defense on users. Unfortunately, in 2023, 74% of all breaches involved the human element, making Trojans especially dangerous to organizations.
The King of Malware?
Emotet — a Trojan spread primarily through phishing — first appeared in 2014. Since then, it has surged in and out of prominence multiple times, thanks to its modular structure and ability to serve as a delivery program for other forms of malware. According to CISA, “Emotet is difficult to combat because of its ‘worm-like’ features that enable network-wide infections.” This is likely why it’s gained a reputation in cybersecurity circles as the “king of malware.”
6. Bots
A bot is a software program that performs an automated task without requiring any interaction. Bots can execute attacks much faster than humans ever could.
A computer with a bot infection can spread the bot to other devices, creating what’s known as a botnet. This network of bot-compromised machines can then be controlled and used to launch massive attacks — such as DDoS attacks or brute force attacks — often without the device owner being aware of its role in the attack. One way to control bots is to use tools that help determine if traffic is coming from a human user or a bot.
For example, you can add CAPTCHAs to your forms to prevent bots from overwhelming your site with requests. This can help you identify and separate good traffic from bad. Site traffic should always be monitored, and organizations should make sure they’re using updated browsers and user agents.
7. Ransomware
Arguably the most common form of malware, ransomware attacks encrypt a device’s data and hold it for ransom. If the ransom isn’t paid by a certain deadline, the threat actor threatens to permanently delete the data or — in double extortion models — release the valuable data on the dark web.
Ransomware gangs, as well as individual actors, are continuing to see the payoff in attacking high-value targets like supply chains and critical infrastructure. The ransomware-as-a-service (RaaS) model is becoming a preferred method for threat actors, with many cybercriminals relying on specialized services and offerings to conduct intrusions, and we expect those offerings to expand and evolve in 2024 to bypass security controls.
See Arctic Wolf’s 2024 Cybersecurity Predictions
Fighting ransomware takes a holistic response. A managed detection and response (MDR) solution can help organizations monitor their environment and act in case of an immediate threat. In addition, security awareness training can help users spot social engineering tactics that may lead to a ransomware attack. If an incident occurs, having a strong incident response plan and solution can be the difference between stopping a threat and having to pay a hefty ransom.
Maybe the House DOESN’T Always Win
All it took was one phone call to a third-party IT helpdesk by a member of the ransomware gang Scattered Spider (using ransomware from ALPHV and BlackCat) and suddenly MGM Resorts had 100 ESXi hypervisors encrypted and was unable to continue basic functions such as checking in guests, running casino operations, and more.
MGM Resorts lost $100 million due to canceled bookings, in addition to “$10 million in one-time expenses in the third quarter related to the cybersecurity issue, which consisted of technology consulting services, legal fees and expenses of other third-party advisors,” per their filing.
8. Spyware
Cybercriminals use spyware to monitor the activities of users. Spyware often leads to credential theft, which in turn can lead to a devastating data breach. It often originates in corrupt files, or through downloading suspicious files.
Spyware is an umbrella category under which many of the other types of malware we’ve discussed can be collected — adware, rootkits, keyloggers and trojan horses are all kinds of spyware — however there are additional forms of spyware that allow threat actors to track your cookies and monitor your internet activity, monitor system usage or steal targeted info like conversations in messaging apps.
Spyware is often employed in the early stages of a breach — often called the “reconnaissance” or “investigation” stage — where the threat actor is exploring the system, looking for ways to increase access without being detected. While spyware can be inserted through vulnerability exploits, social engineering tactics are often used to launch spyware without a user even realizing it’s happened.
Identity and access management (IAM) techniques, like MFA, can prevent the reconnaissance and data theft that often happens with spyware.
9. Mobile Malware
As the name suggests, mobile malware is designed to specifically target mobile devices. This kind of malware has become more common, not just with the proliferation of smart phones, but with the increase of mobile and tablet use by organizations and employees as remote work models expand.
Mobile malware can employ several tactics, including spying on and recording texts and phone calls on your mobile devices (another form of spyware), impersonating common apps, stealing credentials, or accessing data on the device. Mobile malware often spreads through smishing, also known as SMS phishing, which is a form of phishing that comes through text messages.
Other forms of mobile malware include remote access tools and bank Trojans. As phones become a more valuable tool in the workplace, they become a larger target for threat actors.
10. Rootkits
Rootkits were not originally designed as malware, but they have become a common attack vector for threat actors. A rootkit allows a user to maintain privileged access within a system without being detected. In short, rootkits give a user administrative-level access while concealing that access, allowing them to take over a given device. Rootkits are often the first stage in a breach, and after employing one, a threat actor can install more malware, launch a DDoS attack, or take other escalation actions. Rootkits can also install and hide keyloggers.
Rootkits are often installed through vulnerability exploits, highlighting the need for a robust vulnerability management program. Like all malware, they can also take hold through social engineering tactics, which reinforces the need for robust security awareness training.
11. Keyloggers
Keyloggers are a common kind of spyware that monitors and records users’ keystrokes. Once this type of malware is installed onto an endpoint, hackers can monitor and record every single keystroke a user makes, giving them full access to a user’s movements in a system and online, as well as giving them access to any and all credentials that may be entered into a system through typing.
While there are legitimate uses for keylogging software — parents wishing to monitor their children’s activity online or organizations wishing to monitor their employees — malicious keyloggers are used to gain information and steal credentials. This can allow users to access bank accounts, steal identities, or gain access to other systems and environments.
Once again, the solution to staying safe from keyloggers lies in effective security awareness training that educates users into the techniques and tactics threat actors use and shows them how to spot a social engineering attack.
12. Wiper Malware
Wiper malware stands apart from its malicious brethren, in that it’s not interested in observation or exfiltration — only deletion. Since it’s a tool of disruption and destruction, it’s most employed by either nation-state attackers looking to interrupt supply chains and military operations, or by so-called “hacktivists” seeking to right perceived wrongs through the interruption of an organization’s ability to conduct business.
HermeticWiper, identified in February of 2022, impacted Ukrainian organizations in the aviation, defense, financial, and IT services industries. Upon execution, the wiper malware gained read access control to any file. If allowed to continue, HeremeticWiper soon progressed to allowing the malware to load and unload device drivers and shut down a system entirely. Its arrival on the cybersecurity landscape heralded the dawn of a new class of destructive cyber attacks fueled by nation-states or experienced threat actors sympathetic to political causes and willing to sow destruction to achieve their ends.
13. Cryptojacking
Like wiper malware, cryptojacking separates itself from other forms of malware due to its goal: using an infected endpoint’s computing power to mine cryptocurrency like bitcoin. Cryptojacking, a form of botnet, can live unnoticed in a system for a long time, as the goal is to mine as much cryptocurrency as possible from as many endpoints as a threat actor can infect.
How to Defend Against Malware
No one wants to learn there is malware in their system or that an attack that originated with malware is causing massive damage. The best approach, in this case, is a proactive one. That means utilizing both tools and humans, and taking a holistic visibility approach to the telemetry those tools provide.
Defenses against malware include:
1. Employing Monitoring and Detection Tools
These tools can monitor your environment for unusual behavior that is caused by malware and can alert your security team to the behavior, allowing your organization to take swift action against threats in the earliest stages.
2. Utilizing Security Awareness Training
Humans are a common vector for threat actors, especially through phishing and other social engineering tactics. All it takes is one click on a suspicious email to launch a major attack. Security awareness training creates a culture of security and helps users understand how they are both the first line of defense and often the first target for hackers.
3. Have a Vulnerability Management Program
In 2023, there were over 29,000 vulnerabilities recorded, and over half of them were rated with a high or critical severity. In addition, many attacks that began with an exploited vulnerability could’ve been previously patched or mitigated. By regularly scanning for, and patching vulnerabilities, an organization is going a long way to protect themselves from malware, including rootkits.
4. Implement a Zero Trust Framework
A zero trust framework, part of IAM, limits user’s access and ensures that all users must be verified through techniques like MFA before access is granted. If malware like spyware is able to gain initial credentials, MFA can prevent forward or lateral movement by the threat actor.
Create a Security Operations Program
Cybercrime is rising, and it can be difficult to keep up. By creating an internal security operations program, or outsourcing with a trusted partner, organizations can take significant steps on their security journey to end cyber risk.
Learn more about malware and other emerging threats with the 2023 Arctic Wolf Labs Threat Report. Discover the value of Arctic Wolf® Managed Detection and Response directly from customers. Then see how our solution compares to other MDR options in the 2023 Gartner Market Guide for Managed Detection and Response services.
