SecurityMalware & Threats

Threat Intelligence

Malware & Threats

Understand malware types, ransomware attacks, detection methods, and prevention strategies.

Types of Malware

Virus

Malicious code that attaches to legitimate programs and spreads when the infected program runs.

Spreads: Email attachments, infected downloads, USB drives

Impact: File corruption, system crashes, data loss

Worm

Self-replicating malware that spreads across networks without human interaction.

Spreads: Network vulnerabilities, email worms, instant messaging

Impact: Network congestion, bandwidth depletion, system overload

Trojan

Disguised as legitimate software but performs malicious actions in the background.

Spreads: Fake downloads, phishing emails, software bundling

Impact: Backdoor access, data theft, spyware installation

Ransomware

Encrypts victim's files and demands payment (ransom) for the decryption key.

Spreads: Phishing emails, exploit kits, RDP brute force

Impact: Data loss, financial loss, operational downtime

Spyware

Secretly monitors user activity and collects personal information.

Spreads: Software bundling, malicious websites, fake apps

Impact: Privacy breach, identity theft, credential theft

Adware

Automatically delivers unwanted advertisements, often bundled with free software.

Spreads: Freeware bundling, malicious browser extensions

Impact: Annoying pop-ups, browser hijacking, performance loss

Rootkit

Gains root/admin access and hides its presence from operating system detection tools.

Spreads: Drive-by downloads, trojans, kernel exploits

Impact: Complete system compromise, stealth persistence, keylogging

Keylogger

Records every keystroke made on a compromised device to capture passwords and sensitive data.

Spreads: Phishing, trojans, physical access, browser extensions

Impact: Credential theft, financial fraud, privacy violation

Malware Lifecycle

Infection

Malware enters the system through phishing, drive-by download, exploit, or physical media.

Execution

The payload activates — a dropper installs additional components or the malware runs directly.

Persistence

Malware ensures it survives reboots via registry keys, services, cron jobs, or startup folders.

Communication

Establishes C2 (Command & Control) channels to receive instructions and exfiltrate data.

Payload

Performs its malicious objective: file encryption, data theft, keylogging, DDoS, etc.

Ransomware Deep Dive

Ransomware is one of the most damaging malware types. Here is how it typically operates:

Delivery

User receives a phishing email with a malicious attachment or link. Exploit kits scan for unpatched vulnerabilities.

Execution

The ransomware payload runs, often using PowerShell or Windows Script Host. It may disable security software.

Persistence

Adds registry entries or scheduled tasks to survive reboots. Some variants install as Windows services.

Communication

Connects to C2 (Command & Control) servers to receive encryption keys and exfiltrate sensitive data.

Encryption

Scans local drives and network shares. Encrypts files using AES/RSA, renames them, deletes shadow copies.

Ransom Note

Displays a ransom note demanding cryptocurrency payment in exchange for decryption keys.

Famous Ransomware Attacks

WannaCry (2017)

Impact: 230,000+ computers across 150 countries. Total damages estimated at $4 billion.

Method: Exploited EternalBlue (MS17-010 SMB vulnerability). Spread via worm-like capabilities.

NotPetya (2017)

Impact: $10 billion+ in damages. Hit Maersk, Merck, FedEx, and Ukraine infrastructure.

Method: Disguised as ransomware but was actually a wiper. Spread via accounting software update mechanism.

Detection Methods

Signature-based

Compares files against a database of known malware hashes and byte patterns. Fast but cannot detect zero-day threats.

Heuristic

Analyzes code behavior and structure to detect suspicious patterns. Can catch variants of known malware.

Behavioral

Monitors runtime behavior — file system changes, registry modifications, network connections. Detects unknown malware.

Sandboxing

Sandboxing is a security technique that executes suspicious files or code in an isolated, controlled environment to observe their behavior without risking the host system. Sandboxes virtualize the OS, file system, registry, and network stack. Analysts monitor API calls, file modifications, registry changes, network connections, and process creation to determine if the sample is malicious. Popular sandbox tools include Cuckoo Sandbox, Joe Sandbox, and FireEye.

Prevention & Mitigation Checklist

Keep OS and all software updated with the latest security patches

Use reputable antivirus/anti-malware software with real-time protection

Enable email filtering to block phishing and malicious attachments

Never click suspicious links or download attachments from unknown senders

Use application whitelisting to prevent unauthorized executables

Restrict administrative privileges — use least privilege principle

Enable ransomware-specific protection (controlled folder access)

Maintain regular offline/cloud backups with 3-2-1 strategy

Disable macros in Microsoft Office documents from unknown sources

Implement network segmentation to limit lateral movement

Use endpoint detection and response (EDR) solutions

Conduct regular security awareness training for employees

Interview Questions

Q1: What are the different types of malware?

A: Malware types include Skulles (attach to files), Worms (self-replicate across networks), Trojans (disguised as legitimate), Ransomware (encrypts files for payment), Spyware (monitors activity), Adware (unwanted ads), Rootkits (hide in OS), and Keyloggers (capture keystrokes).

Q2: How does ransomware work and how can you protect against it?

A: Ransomware encrypts files using AES/RSA and demands payment. Protection requires regular backups (3-2-1 rule), patching, email filtering, least privilege, controlled folder access, and user awareness training.

Q3: What is the difference between signature-based and behavioral detection?

A: Signature-based detection matches known malware patterns (fast, accurate for known threats, misses zero-days). Behavioral detection monitors runtime actions (catches unknown malware, fewer false positives, higher overhead).

Q4: What is sandboxing in malware analysis?

A: Sandboxing runs suspicious files in an isolated virtual environment to observe behavior without risking the host system. It monitors file changes, registry modifications, network calls, and process creation for malicious indicators.

Q5: Explain the malware lifecycle.

A: The malware lifecycle has 5 stages: 1) Infection — initial entry, 2) Execution — payload activation, 3) Persistence — survival across reboots, 4) Communication — C2 channel establishment, 5) Payload — malicious objective execution (data theft, encryption, etc.).