Malware
Malware comes in many forms, each designed to exploit vulnerabilities, disrupt systems, or steal sensitive information. As cybercriminals continuously refine their tactics, malware threats have become more sophisticated and widespread. This article explores what malware is, the different types, how and why cybercriminals put it to practice, and some potential steps you can take to protect yourself and your organisation against it.
What is malware?
Malware, an amalgamation of "malicious" and "software," refers to any software designed to harm, exploit, or otherwise compromise a device or network. Initially conceived as pranks or experimental programs, malware has evolved alongside technology to become a powerful tool for cybercriminals. Today, it is used to exploit vulnerabilities and gain illicit access to systems, often with devastating consequences.
The proliferation of malware is fuelled by the rise of digital platforms and underground marketplaces that make malicious tools accessible to even novice cybercriminals. Modern malware spans a wide range of forms, from traditional viruses to advanced threats like ransomware, posing challenges to individuals, businesses, and governments worldwide.
What are the main types of malware?
- Viruses
Viruses are attached to legitimate files or programs and can replicate when executed. Once infected, a virus can spread rapidly throughout a system, ultimately affecting the confidentiality, integrity and availability of files, software, and in some cases, the underlying operating system itself. They often rely on user interaction, such as opening an infected email attachment. - Worms
Unlike viruses, worms are standalone malware programs capable of self-replicating and spreading across networks without requiring user interaction, exploiting software or network protocol vulnerabilities to cause widespread disruption. - Trojans
Named after the mythical Trojan horse, Trojans masquerade as legitimate software or files to deceive users into execution. Once activated, they can create backdoors, steal data, or facilitate additional malware downloads. They rely on social engineering rather than self-replication.
- Financial & political motives
DDoS is used in ransom threats (“pay or we’ll attack”), corporate sabotage, hacktivism, and cyberwarfare. - Hard to attribute
Botnets consist of devices around the world, making it nearly impossible to trace the source. - Evolving methods
Attackers often test targets beforehand and adjust their methods in real-time. For example, multi-vector attacks, which can be a combination of volumetric, protocol, and application-layer attacks, are now common. - Exploitation of IoT
As more devices come online, poorly secured IoT endpoints expand the attack surface. Botnets like Mirai exemplify how large-scale attacks can be launched using everyday household gadgets. - Command & Control (C&C) networks
Attackers coordinate these machines via C&C servers, issuing instructions to launch synchronised attacks with precision. - Ransomware
Ransomware encrypts files or locks down entire systems, holding them hostage until a ransom is paid. This increasingly prevalent malware targets individuals, businesses, and even critical infrastructure, causing significant financial losses, operational disruptions and reputational damage. The rise of Ransomware-as-a-Service (RaaS) has made these attacks more accessible, allowing even novice cybercriminals to execute sophisticated campaigns.
How do cybercriminals deliver malware?
Phishing
Phishing is a tactic in which cybercriminals impersonate trusted entities in emails, messages, or websites to deceive users into clicking malicious links or downloading infected attachments. Advanced social engineering tactics are used to make phishing emails appear more legitimate and convincing, with spear phishing further enhancing this by crafting highly personalised messages using information from social media or other sources.
Exploit kits
When a user visits a website that is either compromised or controlled by cybercriminals, the exploit kit silently scans the visitor's system for vulnerabilities and deploys tailored malware if such a vulnerability is detected.
Drive-by downloads
Drive-by downloads are a stealthy method cybercriminals use to distribute malware via compromised or malicious websites. Malicious scripts exploit browser or plugin vulnerabilities, such as outdated software or unpatched flaws, to download and execute malware on visitors' devices. These attacks are silent and invisible, often without warning, and can target a wide audience by leveraging legitimate websites.
Infected removable media
Infected removable media, such as USB drives or SD cards, are used by cybercriminals to distribute malware. These devices are executed when inserted into a device, often exploiting vulnerabilities in autorun functionalities or the operating system. Users may also unknowingly activate the malware by opening infected files or running malicious scripts on the device.
Exploiting internet-facing systems and edge devices
Cybercriminals increasingly target internet-facing systems and edge devices – such as firewalls, routers, VPN appliances, email servers, and cloud services – to deliver malware. These systems are exposed by design and often contain unpatched vulnerabilities or misconfigurations. Once exploited, attackers can gain unauthorised access and deploy malware directly into an organisation’s network, bypassing traditional security controls.
Why do cybercriminals use malware?
- Financial gain
Financial gain is a primary motivation for cybercriminals, who use malware like ransomware, banking Trojans, and credit card stealers to extort money, steal financial data, or conducting fraudulent transactions. - Espionage and intelligence gathering
Certain cybercriminal groups, as well as nation-state actors, deploy malware for espionage purposes, infiltrating systems to steal sensitive information, intellectual property, or trade secrets for competitive or political advantage - Disruption and sabotage
Some cybercriminals deploy malware to disrupt operations, sabotage systems, or create chaos, often through, for example, DDoS attacks, data destruction, or compromising critical infrastructure. - Data theft and identity theft
Malware can be used to steal personal information, such as usernames, passwords, and credit card numbers, which can then be sold on the dark web or used for identity theft and fraud. - Botnet recruitment
Malware can be designed to recruit infected devices into botnets, which are networks of compromised computers controlled by cybercriminals. Botnets are commonly used to carry out large-scale attacks, such as DDoS attacks, spam campaigns, or cryptocurrency mining. - Political and ideological motivations
Hacktivist groups and politically motivated actors may deploy malware to advance their agendas, protest against specific organisations or governments, or promote ideological causes. - Cyber warfare and state-sponsored attacks
Nation-state actors may deploy malware for offensive cyber operations, including cyber espionage, sabotage, or disruption, as part of broader geopolitical strategies or military objectives.
How can I protect against malware?
Protecting against malware requires a combination of best practices and proactive measures. Keeping operating systems, applications, and antivirus software up to date is critical for patching known vulnerabilities. Deploying reputable Endpoint Detection and Response (EDR) solutions across all devices adds a crucial layer of defence, while enabling and regularly updating firewalls helps block unauthorised access. To further strengthen security, email and web traffic should be filtered using specialised tools and browser extensions that block malicious content. Access to sensitive data should follow the principle of least privilege (granting permissions only as needed) and leverage conditional access policies that assess factors such as device health and user identity. Regularly backing up data, whether offline or in the cloud, ensures that systems can be restored in the event of an attack. Additionally, ongoing user training is essential to build awareness and minimise the risk of infection through phishing or other social engineering tactics.
It’s also critical to have a clear and tested incident response plan in place. This plan should outline the exact steps to take during a malware incident, including how to contain the threat, assess the damage, and restore operations. You can establish this both in-house, or together with an external partner. Want to learn more about how Incident Response (IR) works and how it can help your organisation? Visit our service page or explore our Incident Response Playbooks.
Additionally, continuous monitoring of networks, endpoints, and logs helps detect suspicious activity early. For organisations without the resources for a full in-house security team, Managed Detection and Response (MDR) services offer expert monitoring and threat response, providing peace of mind and faster reaction times when incidents occur. Want to find out if an MDR solution is the right choice for your organisation? Check out our Definitive Guide to Managed Detection and Response (MDR).
Explore our MDR service
Looking for comprehensive cybersecurity solutions tailored to your organisation's needs? Explore our Managed Detection and Response (MDR) services. Our SOC provides scalability, cost-effectiveness, and access to specialised expertise. Our MDR services help organisations detect, analyse, and respond to cyber threats in real time, leveraging advanced threat intelligence and proactive monitoring to identify and mitigate risks like ransomware and cyber espionage. We also assist in navigating cybersecurity regulations such as NIS2, providing visibility into security telemetry and log retention. With an “assume breach” mindset, we help organisations strengthen their security posture and reduce the impact of potential threats.