The most common types of malware are ransomware, trojans, and fileless attacks. Most hackers use one or more of these tactics to create vulnerabilities and exploit them.
Here are a few well-known examples of malicious software that helped them do just that.
Ransomware attack examples
WannaCry
In May 2017, the WannaCry cryptoworm—a dangerous combination of data-encrypting ransomware with a self-replicating computer worm—infected over 230,000 Windows devices using an exploit called EternalBlue that allowed hackers to gain access to all computers connected to a network. Since Microsoft had patched the exploit multiple times, they believed it to be obsolete. But anyone who hadn’t kept up with security updates was vulnerable.
Luckily, a British computer researcher named Marcus Hutchins found an online “kill switch” that stopped the spread. We tip our hats to you, Mr. Hutchins.
Ryuk
Ryuk was another particularly virulent strain of ransomware that plagued school systems, consulting firms, and even newspaper publishers like the Los Angeles Times. The malicious program encrypted data, with ransomers then demanding large amounts of Bitcoin to release infected files. It wasn’t shut down until someone found the manually controlled script that made it work.
Now that defenders better understand Ryuk’s tradecraft, managed security information and event management (SIEM) solutions like Huntress Managed SIEM can use log correlation and detections on suspicious infrastructure and behavior to surface early signs of an attack so you can shut it down fast.
Trojan and infostealer examples
Emotet
Emotet is a backdoor program that lets in ransomware and other malicious software. It first cropped up in 2014 as banking malware designed to steal sensitive information stored on computers. Like a bad penny, Emotet keeps coming back, a little different every time. Nowadays, it can even detect when it’s in a virtual sandbox and lay dormant to fool scans.
The one thing that hasn’t changed is how it’s delivered: It’s always sent in phishing emails that goad users into clicking a link or opening an attachment. It’s yet another reminder of the importance of Security Awareness Training (SAT), which educates employees on common vulnerabilities and hacking techniques and how they can do their part to avoid them.
TrickBot
TrickBot is a persistent pest that’s been opening doors for malware attacks since 2016. Its original purpose was gathering financial data, but it’s since evolved into a malware-as-a-service access point that serves victims’ systems up on a platter.
Thankfully, managed endpoint detection and response (EDR) and Managed SIEM can surface the malicious process behavior, credential theft attempts, and other suspicious activity TricBot relies on, so your team and the Huntress SOC can respond quickly.
Fileless and living-off-the-land examples
Volt Typhoon
Fileless and living-off-the-land attacks are a common type of malware that uses your own scripts and endpoints against you. Since 2021, Volt Typhoon attacks have plagued critical infrastructure in Guam and elsewhere in the U.S. ever since, especially organizations relying on poorly secured endpoints. Once hackers gain access, they move quietly, archiving files and staging them for later removal.
Since they use valid credentials, the access appears authentic, making these stealthy, slow-moving attacks tough to spot. To detect them, you have to switch from thinking about file protection to identity protection, ensuring hackers never get hold of credentials in the first place.
Managed identity threat detection and response (ITDR) and endpoint security posture management (ESPM) are the best ways to detect vulnerabilities and defend against the rogue apps that make these living-off-the-land attacks work.
Splunk
Sometimes, attackers use benign tools to run malicious attacks. Platforms like this are called “traitorware.” Splunk is one tool that’s capable of running living-off-the-land attacks despite not being designed for it.
Splunk’s main purpose is analyzing large amounts of data across environments. It lets users customize their configuration files, so they can define where the system sends data logs. Bad actors could set up a malicious server, create new configurations, and ship logs to their server undetected. The trick is in the layers: Security teams will likely notice someone editing existing files, but new ones get buried quickly.
There are several ways to prevent this from happening, including segmenting the network, using randomly generated admin passwords, and limiting outgoing traffic.