Colonial Pipeline Was Just the Beginning
In May 2021, a single compromised password shut down the largest fuel pipeline in the United States. Colonial Pipeline paid DarkSide operators $4.4 million in ransom. Fuel shortages rippled across the Southeast for days. That attack used just one of the many types of malware circulating right now — and it wasn't even the most sophisticated.
If you're trying to understand the threat landscape your organization faces today, you need more than a glossary. You need to know which types of malware are actively being deployed, how they get in, and what actually stops them. That's what this post delivers.
I've spent years watching organizations get hit by threats they thought were theoretical. They're not. Every category below has real-world body counts in 2021.
The Types of Malware Actively Targeting Organizations Right Now
The Verizon 2021 Data Breach Investigations Report found that 85% of breaches involved a human element, and malware played a role in roughly 30% of all confirmed breaches. That tracks with what I've seen in incident response work. Malware doesn't operate in a vacuum — it almost always rides in on a phishing email, a stolen credential, or a social engineering play.
Here's the breakdown of the major types of malware you need to understand — not as academic categories, but as active threats.
Ransomware: The $20 Billion Problem
Ransomware encrypts your files and demands payment for the decryption key. In 2021, it's the single most destructive malware category for organizations of any size. The FBI's Internet Crime Complaint Center (IC3) received 2,474 ransomware complaints in 2020, and the pace has only accelerated this year.
The Colonial Pipeline attack used DarkSide ransomware. The JBS Foods attack in June 2021 used REvil. The Kaseya supply chain attack in July 2021 also leveraged REvil and impacted up to 1,500 businesses simultaneously. These aren't isolated incidents — they represent a mature criminal ecosystem.
Modern ransomware operations run as Ransomware-as-a-Service (RaaS). Threat actors lease their malware to affiliates who carry out the attacks. This lowers the barrier to entry dramatically. You don't need to be a skilled programmer to deploy ransomware anymore — you just need an initial access broker to sell you a foothold.
Double extortion is now standard. Attackers exfiltrate your data before encrypting it, then threaten to publish it if you don't pay. That means backups alone no longer solve the problem.
Trojans: The Malware That Walks Through Your Front Door
A trojan disguises itself as legitimate software. The user installs it willingly, not realizing it contains a malicious payload. Trojans remain one of the most common initial infection vectors because they exploit trust.
Emotet — before its takedown by law enforcement in January 2021 — was the most prolific trojan of the past several years. It spread through phishing emails with malicious Word documents and served as a delivery mechanism for other malware families, including TrickBot and Ryuk ransomware.
Even with Emotet disrupted, trojans like TrickBot, QakBot, and IcedID have filled the gap. They're delivered through phishing campaigns and serve as loaders that pull down secondary payloads — often ransomware.
Spyware: Silent Data Theft
Spyware monitors your activity without your knowledge. It captures keystrokes, screenshots, browser history, and credentials. In a corporate environment, spyware can silently harvest credentials for weeks before anyone notices.
The Pegasus spyware story that broke in July 2021 showed how nation-state-grade spyware from NSO Group was used to target journalists, activists, and heads of state. While Pegasus targets mobile devices, the same principles apply to enterprise spyware: it's designed to be invisible.
Keyloggers are the most common form of spyware in credential theft operations. They sit quietly on an endpoint and capture everything typed — including passwords, even when multi-factor authentication isn't in place.
Worms: Self-Propagating Threats
Worms spread across networks without user interaction. Unlike trojans, they don't need you to click anything after the initial infection. They exploit vulnerabilities in operating systems and network protocols to move laterally.
WannaCry — the 2017 worm that exploited the EternalBlue vulnerability — is still detected on networks in 2021. Organizations that haven't patched SMBv1 remain vulnerable years later. That's not a hypothetical. I've seen it in assessments this year.
The danger of worms is speed. Once inside your network, a worm can spread to every vulnerable machine in minutes. Your incident response team won't be fast enough if you haven't segmented your network properly.
Fileless Malware: Nothing to Scan
Fileless malware operates entirely in memory. It doesn't write files to disk, which means traditional antivirus solutions that scan files often miss it completely. It typically abuses legitimate system tools — PowerShell, WMI, .NET — to execute malicious code.
According to the Ponemon Institute, fileless attacks are roughly ten times more likely to succeed than file-based attacks. That statistic should change how you think about endpoint protection. If your security stack relies solely on signature-based detection, fileless malware walks right past it.
In my experience, fileless malware shows up most often in targeted attacks against mid-size and large organizations. It's frequently used in the post-exploitation phase after a threat actor gains initial access through a phishing email or compromised credential.
Adware: The Threat Everyone Ignores
Adware seems harmless — it displays unwanted ads or redirects your browser. Most security teams treat it as a nuisance. That's a mistake.
Adware often serves as an initial foothold. It can redirect users to malicious sites that deliver more dangerous payloads. It can also degrade system performance enough to mask other malicious activity. I've investigated incidents where adware was the first indicator of a much deeper compromise.
Rootkits: The Deep Hide
Rootkits embed themselves at the operating system level — sometimes in the kernel, sometimes in the firmware. They're designed to hide other malware from detection tools. If a rootkit is on your system, your security software may report everything as clean while an attacker has full control.
Rootkits are harder to deploy than most malware, so they tend to appear in advanced persistent threat (APT) operations. But they're not exclusive to nation-states. Criminal groups have used rootkit techniques to maintain persistence on compromised servers for months.
Botnets: Your Machines Working for Someone Else
Bot malware turns your device into a node in a network controlled by an attacker. Botnets are used for DDoS attacks, spam campaigns, credential stuffing, and cryptocurrency mining. The Mirai botnet demonstrated in 2016 how IoT devices could be weaponized at scale, and Mirai variants remain active in 2021.
If your network has compromised machines participating in a botnet, you may not notice until your ISP flags unusual traffic or your cloud provider alerts you to a spike in outbound connections.
What Are the Most Dangerous Types of Malware in 2021?
Ransomware is the most immediately destructive. It has the highest financial impact, the fastest-growing attack volume, and the most mature criminal infrastructure supporting it. But fileless malware is the most insidious because it evades the tools most organizations rely on.
The combination that causes the most damage: a phishing email delivers a trojan, which drops a fileless payload, which moves laterally using stolen credentials, which ultimately deploys ransomware. This kill chain is not theoretical — it's the pattern behind the majority of major breaches in 2021.
How Malware Actually Gets In
Understanding the types of malware matters, but understanding delivery mechanisms matters more. You can't defend against what you don't see coming.
Phishing Remains the #1 Delivery Vector
The Verizon 2021 DBIR confirmed that phishing was present in 36% of breaches — up from 25% the prior year. Phishing emails deliver trojans, ransomware, spyware, and credential theft pages. Your employees are the attack surface.
This is why phishing awareness training for organizations isn't optional. Simulated phishing campaigns teach employees to recognize social engineering tactics before a real threat actor exploits them.
Exploiting Unpatched Vulnerabilities
The Microsoft Exchange Server vulnerabilities disclosed in March 2021 (ProxyLogon) were exploited by multiple threat groups within days. CISA issued Emergency Directive 21-02 ordering federal agencies to patch immediately. Organizations that delayed patching got hit with web shells, ransomware, and data exfiltration.
Patching isn't glamorous. It's essential. Every unpatched system is an open door.
Credential Theft and Reuse
Stolen credentials — often harvested by spyware or purchased on dark web markets — give attackers legitimate access. No malware needed at the initial stage. Once inside, they deploy whatever payload serves their objective.
Multi-factor authentication blocks the vast majority of credential-based attacks. If you've implemented nothing else this year, implement MFA.
Practical Defenses That Actually Work
I'm not going to give you a generic checklist. Here's what I've seen make a measurable difference against the types of malware targeting organizations right now.
Layer Your Endpoint Protection
Traditional antivirus catches known signatures. Endpoint Detection and Response (EDR) catches behaviors. You need both. EDR solutions monitor for suspicious process chains — like PowerShell spawning from a Word document — that indicate fileless attacks or trojan activity.
Segment Your Network
Network segmentation limits lateral movement. If ransomware or a worm compromises one segment, it shouldn't be able to reach your crown jewels. Zero trust architecture takes this further — every access request is verified regardless of network location.
Train Your People — Continuously
A one-time training session does nothing. Security awareness requires ongoing reinforcement. Regular phishing simulations, short monthly modules, and real-time feedback when someone clicks a simulated phish — that's what changes behavior.
Start with a comprehensive cybersecurity awareness training program that covers malware recognition, credential hygiene, and social engineering tactics. Make it part of onboarding and make it recurring.
Back Up With the 3-2-1 Rule
Three copies of your data, on two different media types, with one stored offline. Offline is the critical word. Ransomware operators specifically target backup systems. If your backups are on the same network, they'll be encrypted alongside everything else.
Implement MFA Everywhere
Multi-factor authentication is the single highest-impact control you can deploy against credential theft. It stops automated credential stuffing, it stops password-spray attacks, and it makes stolen credentials from spyware largely useless without the second factor.
Monitor Outbound Traffic
Most organizations focus on what comes in. Malware — especially spyware, botnets, and data exfiltration tools — reveals itself through outbound connections. Monitor DNS queries, flag connections to known-bad IPs, and investigate anomalous data transfers.
The Kill Chain Runs Through Your Employees
Every malware category I've described relies on some form of human error at the initial stage. A clicked link. An opened attachment. A reused password. A delayed patch.
CISA's guidance on stopping ransomware emphasizes the same point: technical controls matter, but the human element is where most attacks begin. The FBI IC3 data backs this up year after year.
You can deploy the best endpoint protection money can buy. If your employees can't recognize a phishing email, if they reuse passwords across personal and corporate accounts, if they plug in unknown USB drives — your technical controls will eventually be bypassed.
The organizations that survive 2021's threat landscape aren't the ones with the biggest budgets. They're the ones that take security awareness as seriously as they take firewall rules. They train continuously. They test regularly. They assume breach and plan accordingly.
That's not paranoia. That's the reality of operating in a world where ransomware gangs run customer support portals and a single compromised password can shut down a pipeline.