What is a malware attack?
A malware attack is a common cyberattack where malware (normally malicious software) executes unauthorized actions on the victim’s system. The malicious software (a.k.a. virus) encompasses many specific types of attacks such as ransomware, spyware, command and control, and more.
Criminal organizations, state-sponsored groups, and other types of threat actors have been accused of (and, in some cases, caught) deploying malware. Like other types of cyber attacks, some malware attacks end up with mainstream news coverage due to their severe impact.
An example of a famous malware attack is the WannaCry ransomeware attack.
Malware attacks examined
Malware discussion typically encompasses three main aspects:
- Objective: What the malware is designed to achieve
- Delivery: How the malware is delivered to the target
- Concealment: How the malware avoids detection (this item is beyond the scope of this discussion)
Here’s a breakdown of some of the objectives and delivery mechanisms observed in malware.
Objectives
Malware is created with an objective in mind. While it could be said that the objective is “limited only to the imagination of its creator,” this will focus on some of the most common objectives observed in malware.
Exfiltrate information
Stealing data, credentials, payment information, etc. is a recurring theme in the realm of cybercrime. Malware focused on this type of theft can be extremely costly to a person, company, or government target that falls victim.
Disrupt operations
Actively working to “cause problems” for a target’s operation is another objective seen in malware. From a virus on a single computer corrupting critical OS files (making that one system unusable) to an orchestrated, physical self-destruction of many systems in an installation, the level of “disruption” can vary. And there’s also the scenario where infected systems are directed to carry out large-scale distributed denial of service (DDOS) attacks.
Demand payment
Some malware is focused on directly extorting money from the target. Scareware uses empty threats (ones which are unsubstantiated and/or couldn’t actually be carried out) to “scare” the target into paying some money. Ransomware is a type of malware that attempts to prevent a target from accessing their data (usually by encrypting files on the target) until the target “pays up.” While there is debate over whether victims of ransomware should or should not pay, it has become enough of a threat that some companies have preemptively purchased Bitcoin just in case they get hit with ransomware and decide to pay the ransom.
Types of malware attack vectors
There are three main types of malware attack vectors:
Trojan horse
This is a program which appears to be one thing (e.g. a game, a useful application, etc.) but is really a delivery mechanism for malware. A trojan horse relies on the user to download it (usually from the internet or via email attachment) and run it on the target.
Virus
A virus is a type of self-propagating malware which infects other programs/files (or even parts of the operating system and/or hard drive) of a target via code injection. This behavior of malware propagation through injecting itself into existing software/data is a differentiator between a virus and a trojan horse (which has purposely built malware into one specific application and does not make attempts to infect others).
Worm
Malware designed to propagate itself into other systems is a worm. While virus and trojan horse malware are localized to one infected target system, a worm actively works to infect other targets (sometimes without any interaction on the user’s behalf).
Over the years, malware has been observed to use a variety of different delivery mechanisms, or attack vectors. While a few are admittedly academic, many attack vectors are effective at compromising their targets. These attack vectors generally occur over electronic communications such as email, text, vulnerable network service, or compromised website, malware delivery can also be achieved via physical media (e.g. USB thumb drive, CD/DVD, etc.).
Best practices against malware attacks
The following best practices can help prevent a malware attack from succeeding and/or mitigate the damage done by a malware attack.
Continuous user education
Training users on best practices for avoiding malware (i.e. don’t download and run unknown software, don’t blindly insert “found media” into your computer), as well as how to identify potential malware (i.e. phishing emails, unexpected applications/processes running on a system) can go a long way in protecting an organization. Periodic, unannounced exercises, such as intentional phishing campaigns, can help keep users aware and observant. Learn more about security awareness training.
Use reputable A/V software
When installed, a suitable A/V solution will detect (and remove) any existing malware on a system, as well as monitor for and mitigate potential malware installation or activity while the system is running. A/V software is also a core component of strong endpoint security, helping prevent malware from gaining a foothold on user devices.
Ensure your network is secure
Controlling access to systems on your organization’s network is important for many reasons. Using proven technologies and methodologies—such as using firewalls, intrusion detection and prevention systems (IDPS), and limiting remote access through VPN—can help reduce the attack surface your organization exposes. Physical system isolation is usually considered an extreme measure, it still remains vulnerable to certain attack vectors. Additionally, applying the principle of least privilege access helps limit the impact of a malware infection by restricting what compromised accounts or processes can access.
Perform regular website security audits
Scanning your organization’s websites regularly for vulnerabilities (i.e. software with known bugs, server/service/application misconfiguration) should be part of an ongoing vulnerability management program to identify and remediate risks before malware can exploit them. Regular scanning and visibility across internet-facing assets also supports broader exposure management efforts by helping security teams understand and reduce the attack surface.
Create regular, verified backups
Having a regular (i.e. current and automated) offline backup can be the difference between smoothly recovering from a destructive virus or ransomware attack and stressful, frantic scrambling with costly downtime/data-loss. The key is to ensure backups are actually happening on schedule, verified, and usable for restore operations. Old or outdated backups are far less valuable than recent ones—and backups that fail during a restore are effectively useless.
Even with strong prevention measures in place, organizations should also maintain a well-defined incident response plan to quickly contain and remediate malware infections if they occur.
Malware summary
Malware takes on many different forms and attacks in different ways. But with some thoughtful preparation and process improvements, as well as ongoing user education, your organization can gain-and-maintain a solid security stance against malware attacks.