Constant internet connectivity facilitates the effortless distribution of malware. Malware can be divided into seven categories to develop an understanding of the risk complexity posed by malware to an organisation.
The seven categories of malware are divided as follows:
- RATS (Remote Access Trojans)
- Banking Trojans
- Bots otherwise known as Zombies.
- RAM Scrapers
- Data Stealers
Ransomware is the most renowned form of malware category and over the last decade has gained popularity with cybercriminals. In a nutshell, ransomware scrambles data files belonging to the victim and allows the adversary retain a copy of the only decryption key. The process allows cybercriminals to sell the decryption key by asking the victim to pay a ransom for the retrieval of their documents.
Cybercriminals usually assess the network to determine if any back-up files are present, the first steps are to delete the back-up files to ensure the victim pays the ransom. This process emphasises the importance of backing up data on another medium away from the network to avoid having to pay a ransom.
A scenario where the network is highly infected favours the cybercriminals as the chances of an organisation paying a ransom are quadrupled. One explanation for the increased likelihood of ransom being paid are the number of computer systems affected on the network.
Some organisations may have backups available for all the computer systems affected, but the time encountered in reimaging and restoring thousands of computers can be a tedious and laborious process. After taking into account the manpower and resource required for the restoration of the systems to their original state coupled with time constraint pressures, the organisation may wrongly consider paying a ransom as the most feasible option.
RATS (Remote Access Trojans):
The acronym RAT is shortened for Remote Access Trojan. RAT is essentially a remote access tool which allows a cybercriminal to spy on an individual computer user.
The best way to handle RATware threat is to invest in a webcam cover or use a tiny piece of electrical tape to create a shield of personal privacy which cannot be infiltrated by malware.
The purpose of a banking trojan is to steal sensitive information related to the bank accounts belonging to a victim. Most banking trojans include a keylogger and a data stealer. The keylogger is used to record keystrokes to obtain personal data such as passwords or pins. A data stealer is used to sift through browser databases and any possible password vaults with the end goal of finding unencrypted account details.
Another technique used by banking trojans is known as web form injection. The malware adds extra data fields to the form that are displayed in the victims browser. The purpose of the additional fields is to obtain personal information which is not usually obtainable from the web form for example: date of birth or credit card numbers.
Bots or Zombies:
Bot - Short for robot is a malicious robot program. A form of malware developed to open backdoors into a system allowing a cybercriminal to operate and control the machine via a series of commands.
Botnet - A collection of bots that form a network. The term botnet is short for robot network. A botnet allows a cybercriminal to simultaneously control multiple computer systems.
Bots are also known as Zombies because for a cybercriminal the bots can act as sleeper agents which can be activated on demand as and when required.
Commands built into bots range from using the computer to attack websites, sniffing passwords, searching for files and sending spam in large quantities. Bots also give cybercriminals full autonomy to change the commands when required meaning an infected system can alternate tasks day by day.
Despite having administrator or root level access the malware cannot always find the intended files or the required personal data. Under PCI-DSS and GDPR regulations certain types of data can only be stored temporarily on the computer system.
For instance, the three digit CVV code which is used to authorise a transaction, the regulations stipulate in most cases the CVV code should not be stored to a disk. The three-digit CV is held within temporary storage.
RAM scraping malware is used by cybercriminals to monitor temporary disk storage space to retrieve CVV codes and full credit card information. Furthermore, by accessing the temporary storage the malware also has access to plaintext passwords, decryption keys and website authentication tokens.
A data stealing malware shifts through a computer hard disk or network to find files of monetary value for the cybercriminals. The data holding the most value is usually: bank account details, account passwords, credit card details, passport information and any data about the identity of the victim.
Data stealing malware is capable of recognising files by their internal structure or files names. For example the malware can detect files pertaining to password vaults containing login details or browser database files that may contain sensitive data such as browsing history or authentication tokens.11