Hard2bit
← Back to glossary Threats and attacks

Malware

What is malware

Malware is any software designed to damage, spy on or take control of a system without its owner's consent. The term covers families with very different goals: ransomware encrypts data for extortion, trojans open back doors, spyware steals credentials and information, worms spread across the network on their own, adware monetises through intrusive advertising, and botnets turn infected machines into foot soldiers for larger attacks. It arrives via phishing, exploits against unpatched vulnerabilities, compromised downloads, USB devices or the software supply chain. Understanding it by family and vector is the first step towards defending with judgement rather than trusting the antivirus alone.

Why it matters

Malware is the vehicle behind most incidents with real financial impact: production stoppages from ransomware, banking fraud from credential-stealing trojans, industrial espionage from persistent spyware, and regulatory penalties when an infection turns into a personal data breach. For an SMB, the relevant question is not whether malware will arrive —every company's mail filters discard attempts daily— but whether the one that manages to execute will be detected in time. That is the qualitative leap: modern malware is no longer a noisy file that signature antivirus recognises, but payloads that run only in memory, abuse legitimate system tools (PowerShell, WMI) and stay silent for weeks while the human operator behind them maps the network, escalates privileges and locates the backups before striking. Every hour between initial infection and detection widens the cost of the response. Effective defence therefore combines prevention (patching, filtering, awareness), behaviour-based detection on the endpoint, and a response plan that assumes that, sooner or later, something will execute.

Key points

Main families: ransomware (encryption and extortion), trojans (covert remote access), spyware and infostealers (credential and data theft), worms (self-propagation across the network), adware (intrusive monetisation) and botnets (zombie machines serving DDoS, spam or cryptomining).

Entry vectors: phishing attachments and links, exploitation of exposed unpatched vulnerabilities, downloads from compromised websites or pirated software, USB devices, and supply chain attacks that trojanise legitimate updates.

Typical lifecycle: delivery, execution, persistence (autostart entries, scheduled tasks), communication with the command-and-control (C2) server, actions on the objective (theft, encryption, propagation) and, increasingly, exfiltration before any visible impact.

Layered detection: signature antivirus catches what is already known; EDR detects anomalous behaviour (processes, memory, network) even in fileless malware; sandboxing detonates suspicious attachments in an isolated environment before they reach the user.

Modern malware evades signatures by design: polymorphism, packing, memory-only execution and abuse of legitimate system binaries (living off the land). That is why endpoint behavioural telemetry matters more than the signature list.

Responding to an infection: isolate the machine from the network without powering it off, preserve evidence, identify the entry vector and the real scope (did it move laterally? did data leave?) before cleaning and restoring. Cleaning without investigating usually leaves the door open.

Example: An infostealer on the sales director's laptop

The sales director of a distribution company downloads a supposed PDF viewer from a search engine advert. The installer works, but it bundles an infostealer that within minutes harvests the browser's saved passwords and the session cookies for M365 and the CRM, and ships them to the attacker's server. There is no encryption, no ransom note, no symptoms: traditional antivirus does not recognise the sample, freshly generated for that campaign, and the laptop keeps working normally.

Three weeks later, the attacker uses the stolen cookies to enter the corporate mailbox without triggering MFA, studies the threads with customers and sends invoices with a swapped IBAN from the sales director's legitimate account. The fraud surfaces when a customer calls asking why the bank account has changed. With a managed EDR, the execution of an unsigned installer and the bulk read of the browser's credential store would have raised an alert on day one; without it, the company discovers the infection through the damage rather than through detection, and the response shifts from reimaging a laptop to managing a consummated fraud with affected customers.

Common mistakes

  • Relying on signature antivirus alone. Current campaign malware is generated and packed specifically to miss known signatures; without behavioural analysis on the endpoint, the first victim of every variant has no protection.
  • Considering the infection resolved once the malicious file is deleted. Persistence (scheduled tasks, registry keys, created accounts) and already-stolen credentials remain active; the scope must be investigated before closing the case.
  • Ignoring the 'antivirus blocked it' notification. A block means something got as far as downloading or executing; the right questions are how it got in and whether other attempts were not blocked — not filing the alert as a success.
  • Leaving machines unpatched because 'they are not critical'. Worms and ransomware spread precisely through the forgotten systems: the test server or the kiosk PC shares a network with production.
  • Not covering mobiles or personal devices that access corporate resources. Infostealers on BYOD devices steal the same M365 and VPN sessions as a corporate laptop, but outside the reach of the company's tooling.

Related services

This concept may be related to services such as:

Frequently asked questions

What is the difference between malware, a virus and ransomware?

Malware is the umbrella category: any malicious software. A virus is one specific type that replicates by infecting other files, and is a minority today. Ransomware is another family, specialised in encrypting data and extorting payment. In practice, most of what reaches a business consists of trojans, infostealers and loaders that prepare the ground for a bigger attack, not classic viruses.

Is an antivirus enough to protect a business from malware?

No. Signature antivirus remains useful as a first layer, but campaign malware is generated to evade it and fileless techniques never even touch the disk. A reasonable posture for a business combines EDR with behavioural analysis, email and web filtering, disciplined patching, and someone —in-house or a managed SOC— who reviews and responds to the alerts.

How do I know if one of my company's machines is infected?

The classic symptoms (slowness, pop-ups) rarely appear any more: current malware is built to stay unnoticed. Reliable signals are technical: outbound connections to anomalous domains, processes abusing PowerShell or WMI, reads of the browser's credential store, or spikes in file access. Spotting them requires endpoint telemetry and someone watching it; on suspicion, isolate the machine from the network without powering it off.

What should be done in the first hour after detecting malware on a machine?

Isolate it from the network —cable and Wi-Fi— without shutting it down, to preserve evidence in memory. From another device, change the passwords of the accounts used on that machine and revoke their active sessions. Do not run cleaners on your own initiative: if there are signs of data access or lateral movement, trigger the incident response procedure before altering anything.