Malware may be the biggest threat to your organization.
If a malware attack is successful, it can result in lost revenue, unexpected down time, stolen data, and more costly consequences. There are multiple kinds of malware, and attackers are continually investing in more complex, harder-to-detect versions. Now is the time to take proactive steps to protect your organization.
What Is Malware?
Malware is malicious software deployed by a threat actor to wreak havoc on an organization or individual. Malware is usually found attached to emails, embedded in fraudulent links, hidden in ads, or lying in-wait on various sites that you (or your employees) might visit on the internet. The end goal of malware is to harm or exploit computers and networks, often to steal data or money.
All it takes is one wrong click by one employee for the malware to install itself and begin to execute its program. The rate of malware attacks continue to increase, the costs associated continue to climb, and the threat vectors and attack types continue to grow in variety and complexity — ransomware gangs, for example, are on the rise and responsible for the majority of major ransomware attacks. Not to mention, more organizations utilizing IoT devices and digitizing means supply chain attacks are bound to increase.
Now that we understand what malware is, we need to explore the many shapes it takes and how those forms impact organizations of all sizes and industries.
What Are the Most Common Types of Malware Attacks?
Adware — commonly called “spam” — is unwanted or malicious advertising installed on your endpoint. While relatively harmless, it can be irritating, as adware can hamper your computer’s performance. In addition, these ads may lead users to download more harmful types of malware inadvertently. To defend against adware, make sure you keep your operating system, web browser, and email clients updated so they can block known adware attacks before they are able to download and install.
2) Fileless Malware
Unlike traditional malware, which uses executable files to infect devices, fileless malware doesn’t directly impact files or the file system. Instead, this type of malware uses non-file objects like Microsoft Office macros, PowerShell, WMI, and other system tools. According to recent research, 40% of global malware is fileless. PowerShell was the top TTP for threat actors in 2022, according to research by Arctic Wolf Labs.
Because there’s no executable file, it is difficult for antivirus software to protect against fileless malware. The best way to limit what fileless malware can do is to limit users’ credentials.
By employing least privilege access, where users are only given the rights and privileges needed to do a specific task, an organization also limits the risk of fileless malware. Utilizing a Zero Trust network access (ZTNA) framework and employing multi-factor authentication (MFA) on all devices are two ways to limit the possible attack surface.
A virus infects other programs and can spread to other systems, in addition to performing its own malicious acts. A virus is attached to a file and is executed once the file is launched. The virus will then encrypt, corrupt, delete, or move your data and files. Viruses will often be attached to phishing emails and lead to larger attacks like business email compromise (BEC) attacks.
To defend against viruses, an enterprise-level antivirus solution can help you protect all your devices from a single location while maintaining central control and visibility. Make sure that you run full scans frequently and keep your antivirus definitions up to date.
In addition, utilizing security awareness training can help users identify malicious-looking files, especially if they arrive through phishing emails.
Like a virus, a worm can duplicate itself in other devices or systems. Unlike viruses, worms do not need human action to spread once they are in a network or system. Worms often attack a computer’s memory or hard drive. To protect yourself against worms you should make sure every device is updated with the latest patches. Technology like firewalls and email filtering will also help you detect files or links that may contain a worm.
A Trojan program pretends to be a legitimate one, but it is in fact malicious. A Trojan can’t spread by itself like a virus or worm, but instead must be executed by its victim, often through social engineering tactics such as phishing. Trojans rely on social engineering to spread, which puts the burden of defense on users. Unfortunately, in 2022, 82% of breaches involved the human element, making Trojans especially dangerous to organizations.
A bot is a software program that performs an automated task without requiring any interaction. Bots can execute attacks much faster than humans ever could.
A computer with a bot infection can spread the bot to other devices, creating what’s known as a botnet. This network of bot-compromised machines can then be controlled and used to launch massive attacks — such as DDoS attacks or brute force attacks — often without the device owner being aware of its role in the attack. Bots are also used for crypto mining on specific hardware. One way to control bots is to use tools that help determine if traffic is coming from a human user or a bot.
For example, you can add CAPTCHAs to your forms to prevent bots from overwhelming your site with requests. This can help you identify and separate good traffic from bad. Site traffic should always be monitored, and organizations should make sure they’re using updated browsers and user agents.
Arguably the most common form of malware, ransomware attacks encrypt a device’s data and holds it for ransom. If the ransom isn’t paid by a certain deadline, the threat actor threatens to delete or release the valuable data (often opting to sell it on the dark web).
Ransomware is rising at alarming rates. In 2022, nine of our top 20 breaches involved ransomware (45%) and based on ransomware incidents investigated by Arctic Wolf® Incident Response, the median initial ransom demand across all industries was $500,000 USD.
Ransomware gangs, as well as individual actors, are continuing to see the payoff in attacking high-value targets like supply chains and critical infrastructure. The ransomware-as-a-service model, in particular, is becoming the preferred method for threat actors. In addition, double and triple extortion have made ransomware more lucrative for threat actors and more damaging for organizations.
Fighting ransomware takes a holistic response. An MDR solution can help organizations monitor their environment and act in case of an immediate threat. In addition, security awareness training can help users spot social engineering tactics that may lead to a ransomware attack. If an incident occurs, having a strong incident response plan and solution can be the difference between stopping a threat and having to pay a hefty ransom.
Cybercriminals use spyware to monitor the activities of users. Spyware often leads to credential theft, which in turn can lead to a devastating data breach. It often originates in corrupt files, or through downloading suspicious files.
Keyloggers are a common kind of spyware that monitors and records users’ keystrokes. With this kind of spyware, hackers can steal credentials as well as credit card numbers and other data that may be entered into a system through typing.
Other kinds of spyware include:
- Adware, which you can learn more about above
- Rootkits, which are becoming a more common tool in the threat actor’s toolkit
- Tracking cookies
- Trojan horses, which you can learn more about above
Spyware is often employed in the early stages of a breach — often called the reconnaissance or investigation stage — where the threat actor is exploring the system, looking for ways to increase access without being detected. While spyware can be inserted through vulnerability exploits, social engineering tactics are often used to launch spyware without a user even realizing it’s happened.
Identity and access management techniques, like multi-factor authentication (MFA), can prevent credential theft that often happens with spyware.
9) Mobile Malware
As the name suggests, mobile malware is designed specifically to target mobile devices. This kind of malware has become more common not just with the proliferation of smart phones, but with the increase of mobile and tablet use by organizations and employees.
Mobile malware can employ several tactics, including spying and recording texts and phone calls (a form of spyware), impersonating common apps, stealing credentials, or accessing data on the device. Mobile malware often spreads through smishing, also known as SMS phishing, which is a form of phishing that comes through text messages.
Other forms of mobile malware include remote access tools, bank Trojans, and crypto mining malware. As phones become a more valuable tool in the workplace, often including the device used in MFA applications, they become a larger target for threat actors.
Rootkits were not originally designed as malware, but they have become a common attack vector for threat actors. A rootkit allows a user to maintain privileged access within a system without being detected. In short, rootkits give a user administrative level access while concealing that access, allowing them to take over a given device. Rootkits are often the first stage in a breach, and after employing one, a threat actor can install more malware, launch a DDoS attack, or take other nefarious actions. Rootkits can also install and hide keyloggers, a common kind of spyware.
Rootkits are often installed through vulnerability exploits, highlighting the need for a robust vulnerability management program. Like all malware, they can also take hold through social engineering tactics.
How to Defend Against Malware
No one wants to learn there is malware in their system or that an attack that originated with malware is causing massive damage. The best approach, in this case, is a proactive one. That means utilizing both tools and humans, and taking a holistic visibility approach to the telemetry those tools provide.
Defenses against malware include:
1. Employing Monitoring and Detection Tools
These tools can monitor your environment for unusual behavior that is caused by malware and can alert your security team to the behavior, allowing your organization to take swift action against threats in the earliest stages.
2. Utilizing Security Awareness Training
Humans are a common vector for threat actors, especially through phishing and other social engineering tactics. All it takes is one click on a suspicious email to launch a major attack. Security awareness training creates a culture of security and helps users understand how they are both the first line of defense and often the first target for hackers.
3. Have a Vulnerability Management Program
In 2022, there were over 25,000 vulnerabilities recorded, and over 800 were actively exploited. In addition, many attacks that began with an exploited vulnerability could’ve been previously patched or mitigated. By regularly scanning for, and patching vulnerabilities, an organization is going a long way to protect themselves from malware, including rootkits.
4. Implement a Zero Trust Framework
A Zero Trust framework, part of identity and access management, limits user’s access and ensures that all users must be verified (through techniques like MFA) before access is granted. If malware like spyware is able to gain credentials, this will prevent forward or lateral movement by the threat actor.
Create a Security Operations Program
Cybercrime is rising, and it can be difficult to keep up. By creating an internal security operations program, or outsourcing with an MDR solution, organizations can take significant steps on their security journey to end cyber risk.
Learn more about malware and other emerging threats with 2023 Trends: The State of Cybersecurity and our inaugural 2023 Labs Threat Report.
Explore defense options with our Comprehensive Guide to Security Operations.