Chapter 40 Β· Story

An Overview of Malware

Marcus runs security awareness training at Westfield University. Three weeks ago, a ransomware attack shut down the registrar's office for four days. Today he is explaining to the new IT intern exactly what happened β€” and why the word "malware" covers a lot more than most people think.

Scene 1 β€” "It's Not One Thing"

The intern, Priya, had been hired two days before the attack hit. She spent the ransomware incident watching Marcus and the rest of the team work eighteen-hour days, and she had one question she was almost embarrassed to ask: "Is ransomware the same as a virus?"

Marcus pulled up a chair. "Ransomware is one type of malware. A virus is another type of malware. They are both malware, but they are not the same thing. The word malware just means malicious software β€” any program or code specifically designed to do something harmful to a system or its owner. It's a category, like saying 'vehicle.' A truck and a motorcycle are both vehicles, but they are very different things."

He opened a whiteboard application. "The exam β€” and the real world β€” use nine types of malware you need to know. Viruses. Worms. Ransomware. Trojan horses. Rootkits. Keyloggers. Spyware. Bloatware. Logic bombs. Each one does something different. Each one gets onto a system differently. And they often work together."

"Work together?" Priya asked.

"That's what happened to us. What hit Westfield was not just ransomware. What hit Westfield was a chain."

What Is Malware?

Malware (short for malicious software) is any program or code designed to damage, disrupt, spy on, or gain unauthorized access to a computer system. It is a broad category, not a single type of threat. The attacker's goal determines the type of malware they deploy:

All of these goals share a common foundation: your data has value. Personal data (photos, documents, credentials), organizational data (PII, financial records, intellectual property) β€” there is always a price an attacker can extract, whether through theft, extortion, or sale.

Scene 2 β€” The Chain That Brought Down the Registrar

Marcus sketched a timeline on the whiteboard. "Three weeks ago, Tuesday morning. A staff member in the financial aid office received an email. Looked like it came from a university IT vendor β€” a real vendor we actually use. The email said there was a critical update to a shared document portal and included a link. She clicked it."

"A phishing link?" Priya asked.

"In this case it was a link to a website that had been compromised. Just visiting it β€” not even clicking anything on the page β€” caused a drive-by download. A piece of code ran in her browser, found an unpatched vulnerability in her browser version, and used it to download a file and execute it in the background."

Priya's eyes widened. "She didn't even install anything."

"No. This first piece of code was a worm β€” it spread itself to three other systems on the same network segment within forty minutes, all by exploiting the same unpatched browser vulnerability. Once on each system, the worm installed a second piece of code: a remote access backdoor. A Trojan horse, essentially β€” it looked like a legitimate Windows service process, but it opened a channel back to the attacker's infrastructure."

"So the attacker now had access to four machines."

"Correct. For two days, that backdoor sat quiet. We didn't see it. The keylogger it installed collected credentials as staff logged into internal systems. On Thursday morning, the attacker used those stolen credentials to log into the registrar's file share. They staged the ransomware payload, then triggered it Friday at 2 AM when no one was watching. By the time staff arrived, every file on the registrar share was encrypted."

Priya stared at the whiteboard. "One click. Four days. Four different malware types."

"That's how it usually works," Marcus said. "Malware is not one event. It is a campaign."

The Nine Malware Types β€” A Survey

Each type is introduced briefly here. Chapters 41–43 cover viruses, worms, spyware, bloatware, and other types in detail.

TypeWhat It DoesPrimary Goal
VirusAttaches to a file; spreads when the file is executedCorruption, propagation
WormSpreads automatically across networks via vulnerabilities β€” no user action neededPropagation, payload delivery
RansomwareEncrypts files, demands payment for decryption keyExtortion
Trojan HorseDisguised as legitimate software; installs malware when runInitial access, backdoors
RootkitHides deep in OS, grants admin control, masks other malwarePersistence, concealment
KeyloggerRecords every keystroke; captures passwords, PINs, messagesCredential theft
SpywareObserves user activity, transmits data to attacker without consentSurveillance, data collection
BloatwareUnwanted pre-installed or forced software; may introduce vulnerabilitiesRevenue, attack surface
Logic BombDormant code that triggers on a condition (date, event, deleted account)Sabotage, timed destruction
Scene 3 β€” "Why Does Anyone Target a University?"

Priya was still looking at the timeline. "I get why attackers target banks. But a university?"

"Because data is data," Marcus said. "What does Westfield have? Student records β€” names, dates of birth, Social Security numbers, home addresses. That's high-quality personally identifiable information. Financial aid information β€” income data, bank account details. Research data from the science departments β€” years of academic work. Staff payroll records. Vendor contracts."

"All of that is worth money."

"To the right buyer, absolutely. Student PII sells on dark web forums. Research data is valuable to competitors or foreign intelligence services. But the attackers who hit us were not data thieves β€” they were ransomware operators. They did not care about reading our files. They just encrypted them and asked us to pay to get them back."

"How much did they ask for?"

Marcus was quiet for a moment. "A number. There is always a number. And the number they chose was calibrated to what they thought Westfield could afford to pay versus the cost of rebuilding from scratch without paying." He paused. "We did not pay. We had backups."

Scene 4 β€” Ransomware's Distinctive Fingerprint

"Walk me through what the ransomware actually did," Priya said. "When I came in Friday morning, people's computers still worked. They could browse the internet. The issue was they couldn't open their files."

"That's intentional," Marcus said. "Ransomware is designed to encrypt your data files β€” documents, spreadsheets, PDFs, images, databases β€” while leaving the operating system running. The OS stays up because the attackers need you to be able to see their message. If they crashed your whole system, you wouldn't be able to read the ransom note or navigate to the payment site."

"So they want you functional but helpless."

"Exactly. The encryption uses strong public-key cryptography. The attacker generates a key pair β€” public key encrypts your files, private key decrypts them. Only they have the private key. The public key is embedded in the ransomware. Once encryption runs, no amount of computing power recovers the files without the matching private key. You either pay, restore from backup, or lose the data."

"The payment is cryptocurrency."

"Always. Because it's difficult to trace and cannot be reversed. It's one of the great ironies of the field β€” cryptography was invented to protect people's data, and ransomware weaponizes the exact same mathematical principles to hold data hostage."

How Malware Gets In β€” Infection Vectors

For malware to run on a system, it needs to reach the system and execute. The four primary vectors:

The second requirement for infection is a vulnerable system. If the OS and applications are fully patched, the exploit that delivers the malware may fail. This is why "keep everything updated" is not just generic advice β€” it closes the specific vulnerabilities that infection vectors rely on.

Scene 5 β€” What Actually Saved Westfield

"So we didn't pay," Priya said. "How did we recover?"

"We had a backup of the registrar's file share from 11 PM Thursday β€” about three hours before the ransomware executed. We restored from that backup on Saturday morning. The backup was stored offline β€” on a tape system that was not connected to the network. The ransomware could not reach it."

"And if the backup had been on a connected drive?"

"Then the ransomware might have found it and encrypted it too. That's why offline backups β€” or immutable backups β€” are the single most important defense against ransomware. If you have a clean copy the ransomware cannot touch, you have a recovery path regardless of whether you can decrypt the original files."

Priya was quiet, processing. "What should have prevented the attack in the first place?"

"Two things failed us. First, the browser on that financial aid workstation was two versions out of date. The vulnerability the drive-by download used had been patched six weeks earlier. If she had been running the current version, the exploit fails β€” the malware never lands. Second, the worm spread to three other machines because those machines had the same unpatched browser vulnerability. A regular patch cycle would have closed all four."

"And the antivirus didn't catch it?"

"The antivirus signatures were also out of date on the affected workstations. The worm variant that hit us had been in the wild for nine days. The antivirus vendors had created signatures for it six days prior. If the signatures had been current, the worm would have been flagged on installation. Four days of unauthorized access β€” all because of a six-week-old patch gap and three-day-old signatures."

Priya looked at the whiteboard again β€” the whole chain, from one click to four days of disruption. "So the defense is: backups, patches, and current signatures."

"Those three things," Marcus said, "would have either stopped the attack or recovered from it with minimal damage. They are not glamorous. They are not expensive. But they are the foundation. Everything else we do in security is built on top of those three."

The Four Defense Fundamentals Against Malware

These four practices form the baseline defense against the full spectrum of malware types:

  1. Maintain offline or immutable backups β€” the only recovery path when ransomware encrypts your data. Backups connected to the network can themselves be encrypted. Offline (disconnected) or immutable (write-once) backups cannot be reached by ransomware.
  2. Keep the OS patched and current β€” most malware delivery mechanisms (worms, drive-by downloads, exploits) target known vulnerabilities in operating systems. Patches close those vulnerabilities. An unpatched OS is the open door malware walks through.
  3. Keep applications patched and current β€” browsers, PDF readers, office suites, media players, and plugins all contain vulnerabilities. Attackers track unpatched application versions because they represent exploitable entry points on otherwise well-maintained systems.
  4. Keep antivirus and anti-malware signatures current β€” new malware variants appear every day. Signature updates allow security software to recognize and block the latest known threats. An antivirus with signatures that are days old may miss a variant released in the last 48 hours.

Note: None of these defenses are perfect against zero-day malware (Chapter 39) β€” behavioral detection and network segmentation fill that gap. But against the vast majority of malware in the wild, these four fundamentals address the primary attack vectors and recovery paths.