Malware is an umbrella term for all malicious software.
What is malware?
Malware is an umbrella term that includes all types of malicious software, including viruses, worms, Trojans, ransomware, and spyware. These programs are designed to infect and cause damage to computers, steal sensitive data, or take control of a system. In 2022, 75% of organizations experienced malware activity that spread between employees, which is the highest it has been in recent years.[1] Once malware gains access to a system, not only is the affected device in jeopardy but all other devices on the same network may be at risk. For the sake of simplicity, we will predominantly use computers as examples, yet it is important to be cognizant of the fact that malware can affect all types of digital devices, including desktops, mobile devices, and other Internet of Things (IoT) devices. Data from SonicWall Capture Labs revealed that the first half of 2022 saw an 11% increase in malware attacks compared to 2021, totaling around 2.8 billion attacks globally.[2] Furthermore, over 2022, 35% of respondents have stated that poor preparedness was to blame when they experienced business-disrupting cyberattacks.[3] Therefore, it is essential to take the necessary precautions to secure your device by installing the appropriate malware protection and recognizing the signs of an infected system.
How does Malware infect a computer?
Malware can infect a computer in a number of ways, including through email attachments, websites, and infected software downloads. Here are some of the most common ways malware could infect your computer.
Malicious or Compromised Web Pages
A malicious web page is a web page that has been designed to infect your computer with malware. Malicious web pages are created by cyber criminals or can be the result of a legitimate website being compromised (otherwise known as being hacked). Malicious web pages can infect your computer with malware if you visit them, click on links, or download files from them. A common way that cybercriminals get their victims to visit malicious web pages is to send out mass amounts of fraudulent emails, commonly called phishing emails.
Recognizing Malicious Web Pages
The best way to avoid being a victim of an infection is to know how to recognize a malicious web page. There are a few telltale signs that a web page may be malicious.
Firstly, pay attention to the URL: a fake link may look strange, and nothing like the legitimate domain that it purports to impersonate. Other, more sophisticated examples may contain misspellings of well-known websites, so always keep your eyes peeled. Redirect links are perhaps the most effective of malicious links, as these are links that look normal, but redirect to another site. You can identify a redirect link by inspecting its actual destination, using online tools.
Secondly, once on the page, it might become obvious that something is wrong, as you may find it has little or no content. Other indicators of a spoofed web page are grammar and spelling errors. However, beware, as some malicious websites may manage to look almost identical to their legitimate counterparts.
Thirdly, the web page may promote products or services that seem too good to be true. Pop-ups appearing frequently, sometimes so much so that it makes using the page a nightmare, are also signs that the page could be nefarious.
If you encounter any of these signs, it is best to exit the page immediately. To be extra safe, you can also clear your browser’s cache and cookies.
Phishing and Spear Phishing Emails
A common strategy cybercriminals use to infect a victim's computer system is sending out phishing emails. A phishing email is a social engineering cyberattack that aims to trick victims into providing sensitive information, such as login credentials or credit card numbers. Cybercriminals often pose as a legitimate company or individual in order to gain the victim's trust. An example of a phishing email would be an email that appears to be from a tech company stating that there is a problem with your account and asking you to click on a link where you can install the latest security update. However, this turns out to be a malicious link that leads to a malware-infected website. A phishing email may also ask the receiver to complete an attached signup form, which, when downloaded will execute locally and infect the victim’s machine with malware.
Spear phishing is a more targeted version of phishing, wherein cybercriminals do their research and target a specific individual or organization. They often use personal information about the victim, such as their name, job title, or interests, to make the email more credible. An example of spear phishing would be an email that appears to be from your boss asking you to update your personal details on a malware-infected website or software.
Recognizing Phishing Emails
Phishing emails can be difficult to spot as they often look legitimate. However, there are some telltale signs that an email is a phishing attempt. Firstly, check the sender's email address. A phishing email will often have a fake or spoofed address similar to a legitimate address. Secondly, look for typos or grammatical errors in the body of the email. These can be clues that the email is not from a legitimate source. Thirdly, be wary of any emails that create a sense of urgency or require you to take immediate action, such as clicking on a link. Finally, if an email asks you for personal information, such as your login credentials or credit card number, this is a sure sign that it is a phishing email.
A classic phishing email trope is that of the Nigerian prince who needs help transferring his fortune out of the country. These emails often ask for your bank account details so that the money can be transferred to you. However, this is nothing but a scam.
Spear Phishing emails are often far harder to recognize as they can be very personalized. Nevertheless, if you receive an email from a loved one asking for money, always be suspicious. If you are unsure about an email, it is always best to err on the side of caution and not click on any links or open any attachments. If the email appears to be from a legitimate source, such as your boss or a company you do business with, you can always contact them directly to confirm that the email is legitimate.
Figure 1: An example of a bad phishing email
Infected Removable Drives
Another, less common form of infecting a system with malware is by relying on a stranger to plug in an infected external drive to their device. Occasionally, attackers will leave an infected USB in a public place hoping that someone will pick it up and plug it into their computer out of curiosity. Malware will then be automatically installed when the infected drive is connected to your system. Always be suspicious of removable drives that are not your own.
How can I detect and respond to a malware attack?
Malware prevention
The first step to defending against any type of malware is always prevention. Malicious actors can only do damage if they are allowed to execute on a system, so the best way to stop malware is to never allow it to run in the first place. One of the simplest ways of making your system less vulnerable is merely to keep your operating system and software up to date with the latest security patches. Additionally, install a reputable external antivirus program and scanner, and make sure to keep them updated with the latest malware definitions.
Malware detection
Typically, the most effective way to detect malware is with tools that can scan your system for known signatures of malicious code. These signature-based detection methods are not foolproof, as malware can mutate and change its code to avoid detection. Ultimately, one of the last layers of defense is the user and their own ability to identify unusual behavior. Of course, different types of malware will often exhibit their own unique cues. We will elaborate on the telltale signs of the two main types of malware below: ransomware and spyware.
Malware removal
If you believe that your computer is already infected with malware, the first thing you should do is disconnect the infected device from the internet to prevent further damage. Then, run a full scan of your system using your antivirus program and remove any malware that is detected. If you are unsure of how to do this, you can usually find instructions by searching for your specific antivirus program online. Finally, change any passwords that may have been compromised and consider contacting a professional for assistance.
Spyware covertly monitors your activity.
What is spyware?
Spyware is a type of malware that monitors your computer activities. Once the spyware infects an operating system, it begins spying on the activity associated with that device, logging important information such as passwords and other internet activity, including sites visited, social media accounts, and even financial information. Some spyware can even take control of certain features of the infected system, such as the webcam or microphone, to record audio and video footage without the victim's knowledge. This information is then relayed to the cybercriminal who is behind the nefarious program. Since 2017, businesses' detections of malware increased by 79%, with many of these being attributed to information-stealing programs such as spyware. [4]
How can I detect and respond to a spyware attack?
Spyware prevention
There are a few things you can do to prevent spyware from infecting your system. First, as we mentioned before, it is important to keep your operating system and software up to date with the latest security patches. This will help close any potential vulnerabilities that could be exploited by malware. Additionally, install a reputable external antivirus program and scanner, and make sure to keep them updated with the latest malware definitions.
Spyware detection
Spyware is notoriously difficult to detect, as it is designed to avoid detection by traditional security measures. The best way to protect yourself from spyware is to be aware of the signs that your system may have been infected. These can include unusual activity on your system, such as new programs appearing that you did not install, changes to your homepage or other important settings. If you notice any of these red flags, it is important to run a malware scan of your system as soon as possible.
Spyware removal
If you believe your device has already been infected with spyware, the fastest way to prevent further information to be sent to criminals is to disconnect your internet. This will prevent the malware from communicating with its Command-and-Control (C2) server. Next, run a full scan of your system using your antivirus program and remove any malware that is detected. If you are unsure of how to do this, you can usually find instructions by searching for your specific antivirus program online. Finally, change any passwords that may have been compromised and consider contacting a professional.
Examples of spyware
An example of spyware would constitute a program used in a corporate espionage setting, where an employee's computer is infected with malware that monitors their activity and sends this information back to the cybercriminal. This information may then be used to access confidential information about the corporation, including trade secrets or account data. A famous example of spyware is Pegasus, which was designed by the cyber-arms company, NSO Group. The program is used by authoritarian and democratic governments alike to spy on high-profile targets such as journalists, human rights activists, and political opponents by infecting their iPhones. This has elicited criticism of the NSO Group from the UN for posing a threat to freedom of opinion.
Ransomware blocks your access and threatens to destroy your media.
What is ransomware?
Ransomware is a type of malware that puts personal data at risk by threatening to destroy it unless a ransom demand is fulfilled. A ransomware attack will encrypt files on your computer, making them inaccessible to you. The cybercriminal deploying the ransomware will then send a ransom note, typically asking that the victim pay the ransom in cryptocurrency in order to decrypt data and restore access to the user's files. In some cases, the cybercriminal may threaten to destroy the user's data entirely if the ransom is not paid. Oftentimes, ransomware is not designed or maintained by the threat-actor themselves, but bought from a third party. This is called Ransomware-as-a-Service (Raas). In this setting, a ransomware is designed and maintained by a malware developer who then sells it to the criminals who go on to use it to extort their victims. During 2021, 61% of organizations suffered ransomware-related cyberattacks that resulted in at least a partial disruption.[5] Ultimately, ransomware ended 2021 by racking up $20 billion in costs globally, costing businesses $1.85 million on average. Furthermore, only 57% of businesses are able to recover their data using a backup.[6]
How can I detect and respond to a ransomware attack?
Ransomware prevention
As with any malware, the best way to block ransomware attacks is to keep your system updated with the latest security patches and install a reputable antivirus program.
Another, often overlooked, method of minimizing damage is conducting regular data backups that are kept unconnected from your computer, either with an external hard drive or cloud storage. In doing so, the consequences of an active ransomware infection can be reduced since, while all information on the affected computer will be lost, the backup data will not be.
Ransomware detection
As with most malware, dormant ransomware will give itself away by causing your computer to run slow, creating popups and applications that you did not install, and even causing your computer to crash. However, by the time ransomware is noticed, it is often too late. A user will commonly be presented with a screen demanding ransom in order to regain access to your computer.
Ransomware removal
Unfortunately, there is no guaranteed way to remove ransomware and decrypt files even with paying the demanded ransom. However, some malware researchers have been able to develop free ransomware removal tools that can work in specific cases. If you believe your device has already been infected with ransomware, the best thing to do is disconnect from the internet and your network immediately to prevent the malware from moving laterally and further encrypting files. Next, try running a scan with a free ransomware removal tool. If this does not work, you will likely have to pay the ransom in order to get your data back. In the case of companies, lawyers will want to be contacted regarding the company's cyber insurance policy (if applicable) before any ransom is paid. Additionally, it is important to note that some threat actors are sanctioned in the United States—be sure to check before any payment is sent. Finally, change any passwords that may have been compromised and contact a professional if you are unsure of how to proceed.
Examples of ransomware
One of the most well-known examples of ransomware is WannaCry, which targeted Microsoft Windows systems in 2017. WannaCry encrypted files on victims' computers and demanded a ransom be paid in order to decrypt them. WannaCry was particularly notable for its widespread impact, as it is estimated to have affected over 200,000 computer systems in 150 countries.
Figure 2: The WannaCry ransomware screen from 2017
Ransomware vs. spyware: key takeaways
Malware is a broad term that encompasses various types of malicious software, including ransomware and spyware. Ransomware is a type of malware that puts personal data at risk by threatening to encrypt or destroy it unless a ransom demand is fulfilled. Ransomware will make itself known quickly. Spyware, on the other hand, is a type of malware that monitors your activity and sends this information back to the cybercriminal who may then use sensitive information to steal money from the victim and/or commit identity theft. The best way to block malware attacks is to keep your system updated with the latest security patches and install a reputable antivirus program. If you believe your device has already been infected with malware, the best thing to do is to disconnect from the internet immediately to prevent the malware from communicating with its C2 server and further harming your device and information. Finally, be sure to change any passwords that may have been compromised and contact a professional if you are unsure of how to proceed.
This article was edited by Ander Ugalde, an Associate in Ankura's New York office, and Hunter Voegele, a Director in Ankura's Washington, DC Office.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
[i] Malware statistics and facts for 2022; Sam Cook, 2022
[ii] Ransomware Statistics, Trends and Facts for 2022 and Beyond; Aleksandar Kochovski, 2022.
[iii] Cyber Security Statistics: The Ultimate List Of Stats Data, & Trends For 2022; Purplesec, 2022.
[iv] Malware statistics and facts for 2022; Sam Cook, 2022