Context: Recently a malware attack was detected by the cyber security team of the All India Institute of Medical Science (AIIMS), and was later thwarted and neutralised by the team.
What is a Malware Attack?
A malware attack is a common cyberattack where malware (normally malicious software) executes unauthorized actions on the victim’s system. Malicious software (a.k.a. viruses) encompasses many specific types of attacks such as ransomware, spyware, command and control, and more.
Criminal organizations, state actors, and even well-known businesses have been accused of (and, in some cases, caught) deploying malware. Like other types of cyber attacks, some malware attacks end up with mainstream news coverage due to their severe impact. An example of a famous malware attack is the WannaCry ransomware attack.
Malware Attacks Examined
Malware discussion typically encompasses three main aspects:
- Objective: What the malware is designed to achieve
- Delivery: How the malware is delivered to the target
- Concealment: How the malware avoids detection (this item is beyond the scope of this discussion)
Here’s a breakdown of some of the objectives and delivery mechanisms observed in malware.
Objectives
Malware is created with an objective in mind. While it could be said that the objective is “limited only to the imagination of its creator,” this will focus on some of the most common objectives observed in malware.
- Exfiltrate Information: Stealing data, credentials, payment information, etc. is a recurring theme in the realm of cybercrime. Malware focused on this type of theft can be extremely costly to a person, company, or government target that falls victim.
- Disrupt Operations: Actively working to “cause problems” for a target’s operation is another objective seen in malware. From a virus on a single computer corrupting critical OS files (making that one system unusable) to an orchestrated, physical self-destruction of many systems in an installation, the level of “disruption” can vary. And there’s also the scenario where infected systems are directed to carry out large-scale distributed denial of service (DDOS) attacks.
- Demand Payment: Some malware is focused on directly extorting money from the target. Scareware uses empty threats (ones that are unsubstantiated and/or couldn’t be carried out) to “scare” the target into paying some money. Ransomware is a type of malware that attempts to prevent a target from accessing their data (usually by encrypting files on the target) until the target “pays up.” While there is debate over whether victims of ransomware should or should not pay, it has become enough of a threat that some companies have preemptively purchased Bitcoin just in case they get hit with ransomware and decide to pay the ransom.
Types of Malware Attack Vectors
There are three main types of malware attack vectors:
- Trojan Horse: This is a program that appears to be one thing (e.g. a game, a useful application, etc.) but is a delivery mechanism for malware. A trojan horse relies on the user to download it (usually from the internet or via email attachment) and run it on the target.
- Virus: A virus is a type of self-propagating malware that infects other programs/files (or even parts of the operating system and/or hard drive) of a target via code injection. This behaviour of malware propagation through injecting itself into existing software/data is a differentiator between a virus and a trojan horse (which has purposely built malware into one specific application and does not make attempts to infect others).
- Worm: Malware designed to propagate itself into other systems is a worm. While virus and trojan horse malware are localized to one infected target system, a worm actively works to infect other targets (sometimes without any interaction on the user’s behalf).
Over the years, malware has been observed to use a variety of different delivery mechanisms, or attack vectors. While a few are admittedly academic, many attack vectors are effective at compromising their targets. These attack vectors generally occur over electronic communications such as email, text, vulnerable network service, or compromised website, malware delivery can also be achieved via physical media (e.g. USB thumb drive, CD/DVD, etc.).
Best Practices Against Malware Attacks
The following best practices can help prevent a malware attack from succeeding and/or mitigate the damage done by a malware attack.
- Continuous User Education: Training users on best practices for avoiding malware (i.e. don’t download and run unknown software, don’t blindly insert “found media” into your computer), as well as how to identify potential malware (i.e. phishing emails, unexpected applications/processes running on a system) can go a long way in protecting an organization. Periodic, unannounced exercises, such as intentional phishing campaigns, can help keep users aware and observant. Learn more about security awareness training.
- Use Reputable A/V Software: When installed, a suitable A/V solution will detect (and remove) any existing malware on a system, as well as monitor for and mitigate potential malware installation or activity while the system is running. It’ll be important to keep it up-to-date with the vendor’s latest definitions/signatures.
- Ensure Your Network is Secure: Controlling access to systems on your organization’s network is a great idea for many reasons. The use of proven technology and methodologies—such as using a firewall, IPS, IDS, and remote access only through VPN—will help minimize the attack “surface” your organization exposes. Physical system isolation is usually considered an extreme measure for most organizations and is still vulnerable to some attack vectors.
- Perform Regular Website Security Audits: Scanning your organization’s websites regularly for vulnerabilities (i.e. software with known bugs, server/service/application misconfiguration) and detecting if known malware has been installed can keep your organization secure, protect your users, and protect customers and visitors for public-facing sites.
- Create Regular, Verified Backups: Having a regular (i.e. current and automated) offline backup can be the difference between smoothly recovering from a destructive virus or ransomware attack and stressful, frantic scrambling with costly downtime/data loss. The key here is to have regular backups that are verified to be happening on the expected regular basis and are usable for restoration operations. Old, outdated backups are less valuable than recent ones, and backups that don’t restore properly are of no value.
