A Single Click Cost MGM Resorts $100 Million
In September 2023, a threat actor called Scattered Spider used social engineering to trick an MGM Resorts help desk employee into resetting credentials. Within hours, they deployed malware across MGM's network — crippling hotel check-ins, slot machines, and digital room keys across Las Vegas. MGM disclosed an estimated $100 million hit to its third-quarter earnings. One phone call. One reset. One catastrophic malware deployment.
So what is malware, exactly? It's any software intentionally designed to damage, disrupt, or gain unauthorized access to computer systems. But that textbook answer barely scratches the surface of what I've seen malware do to real organizations — from encrypting every file a hospital needs to treat patients, to silently siphoning credit card numbers for months before anyone notices.
This post is the field guide I wish every employee and IT professional had on day one. I'll break down the major malware types, how they actually get into your network, what real-world damage looks like, and the specific steps you can take right now to defend against them.
What Is Malware? The Answer That Actually Matters
Malware is short for "malicious software." It covers a huge family of threats: viruses, worms, ransomware, trojans, spyware, adware, rootkits, keyloggers, and wipers. Each one operates differently, but they share the same goal — to compromise confidentiality, integrity, or availability of your data and systems.
Here's what makes 2025 different from five years ago: malware is no longer just a technical problem. It's a business continuity problem, a legal liability, and a human problem. The 2024 Verizon Data Breach Investigations Report (DBIR) found that 68% of breaches involved a human element — meaning someone clicked, downloaded, or handed over credentials before malware ever executed.
That's why understanding what malware is matters far beyond the IT department. Every person in your organization is a potential entry point.
The 7 Malware Types You'll Actually Encounter
1. Ransomware: The Billion-Dollar Extortion Machine
Ransomware encrypts your files and demands payment for the decryption key. The FBI's Internet Crime Complaint Center (IC3) reported that ransomware complaints continued to rise in their 2023 IC3 Annual Report, with critical infrastructure sectors being disproportionately targeted.
The Colonial Pipeline attack in 2021 shut down fuel distribution across the eastern United States. The company paid a $4.4 million ransom. Change Healthcare was hit in February 2024, disrupting pharmacy and insurance claims processing across the country for weeks. These aren't abstract threats — they're supply chain crises triggered by malware.
2. Trojans: The Wolf in Software's Clothing
Trojans disguise themselves as legitimate software. You think you're installing a PDF reader or a browser extension. Instead, you're giving a threat actor a backdoor into your system. Emotet, one of the most prolific trojans in history, was primarily delivered through phishing emails with malicious attachments. It would then download additional malware payloads — turning a single infection into a full network compromise.
3. Spyware and Keyloggers: Silent Credential Theft
Spyware monitors your activity. Keyloggers record every keystroke. Together, they're the tools behind credential theft — capturing usernames, passwords, banking details, and confidential communications. In my experience, spyware infections often go undetected for months because they don't disrupt normal operations. They just watch and exfiltrate.
4. Worms: Self-Spreading Network Destroyers
Unlike viruses, worms don't need you to open a file. They exploit network vulnerabilities and replicate automatically. WannaCry in 2017 spread across 150 countries in a single day by exploiting a Windows SMB vulnerability. It hit the UK's National Health Service so hard that hospitals turned away patients.
5. Rootkits: The Malware That Hides Other Malware
Rootkits burrow deep into operating systems — sometimes into firmware — and mask the presence of other malicious software. They're extremely difficult to detect and even harder to remove. I've seen rootkit infections that survived full OS reinstalls because they'd embedded in the device's boot process.
6. Adware and PUPs (Potentially Unwanted Programs)
Adware seems harmless — annoying pop-ups, browser redirects. But it often serves as a gateway. What starts as a bundled toolbar can open the door to more aggressive malware. Don't dismiss it.
7. Wipers: Destruction Without Negotiation
Wipers don't encrypt your data for ransom. They destroy it outright. The WhisperGate and HermeticWiper malware families deployed against Ukrainian targets in 2022 were designed purely for destruction — no ransom note, no decryption key. Just permanent data loss.
How Malware Actually Gets Into Your Network
Knowing what malware is means nothing if you don't understand the delivery mechanisms. Here's what I see over and over again in incident response:
Phishing Emails Are Still the #1 Vector
It's not glamorous, but it works. A convincing email with a malicious attachment or link remains the most common way malware reaches endpoints. The Verizon DBIR consistently shows phishing as a top action variety in breaches. Your employees are the front line, and without regular phishing awareness training for your organization, they're making split-second decisions with no framework for evaluating what's real.
Compromised Websites and Drive-By Downloads
Visiting a legitimate website that's been compromised can trigger a malware download without any clicks. Threat actors inject malicious code into vulnerable sites — especially those running outdated CMS platforms or unpatched plugins.
Malicious Software Updates and Supply Chain Attacks
The SolarWinds attack in 2020 showed the world what a supply chain compromise looks like. Threat actors inserted malware into a routine software update from a trusted vendor. Around 18,000 organizations downloaded the compromised update. Your vendor's security is your security.
Removable Media and Physical Access
USB drives left in parking lots still work. It sounds like a movie plot, but the U.S. Department of Homeland Security tested this — employees picked up and plugged in USB drives at alarming rates. Physical security is part of malware defense.
Exploiting Unpatched Vulnerabilities
Every month, CISA adds entries to its Known Exploited Vulnerabilities Catalog. Each one represents a door that threat actors are actively walking through. If you're not patching, you're inviting malware in.
The Real Cost of a Malware Infection
IBM's 2024 Cost of a Data Breach Report put the global average cost of a data breach at $4.88 million. But the damage goes beyond dollars.
- Operational downtime: Ransomware attacks average 22 days of disruption, according to Coveware research from recent years.
- Regulatory penalties: HIPAA, PCI DSS, GDPR — if malware leads to a data breach, regulators come knocking. The FTC has taken action against companies with inadequate security practices repeatedly.
- Reputation damage: Customers leave. Partners reconsider. I've watched organizations spend years rebuilding trust after a single malware incident.
- Legal liability: Class-action lawsuits following breaches have become standard. Change Healthcare's parent company UnitedHealth Group faced multiple lawsuits after their 2024 incident.
How to Defend Against Malware: Specific Steps That Work
Build a Human Firewall First
Technology alone won't stop malware. Your people need to recognize social engineering, suspicious attachments, and unusual requests. Investing in comprehensive cybersecurity awareness training gives every employee a practical framework for spotting threats before they click.
Phishing simulations are especially effective. They give your team hands-on experience identifying malicious emails in a safe environment. Organizations that run regular phishing simulations see measurable reductions in click rates over time.
Implement Multi-Factor Authentication Everywhere
Multi-factor authentication (MFA) stops credential theft from becoming a full breach. Even if malware captures a password through a keylogger, MFA adds a second barrier. Prioritize MFA for email, VPN, cloud services, and any administrative access.
Adopt Zero Trust Architecture
Zero trust assumes every user, device, and network segment could be compromised. It requires continuous verification and limits lateral movement — which is exactly what malware needs to spread. NIST's Zero Trust Architecture publication (SP 800-207) is the definitive guide for implementing this approach.
Patch Relentlessly
I know — patching is tedious. It disrupts workflows. It breaks things occasionally. But unpatched systems are the single biggest gift you can give a threat actor. Establish a patch management cycle that prioritizes CISA's Known Exploited Vulnerabilities Catalog. No exceptions for "that one legacy server."
Deploy Endpoint Detection and Response (EDR)
Traditional antivirus relies on known malware signatures. EDR solutions monitor endpoint behavior in real time, catching malware that signature-based tools miss. In 2025, if you're still running basic antivirus without behavioral analysis, you're fighting with a wooden shield.
Segment Your Network
If malware gets into one system, network segmentation prevents it from reaching everything else. Flat networks — where every device can talk to every other device — are a ransomware operator's dream. Segment by function, sensitivity, and access need.
Back Up and Test Your Backups
Backups are your last line of defense against ransomware. Follow the 3-2-1 rule: three copies, two different media types, one offsite. But here's what most organizations miss — test your restores regularly. I've seen companies discover their backup tapes were corrupt only after they desperately needed them.
What Should You Do If You're Infected With Malware?
This is the question I get most often, so here's a direct answer designed to help when it matters most:
- Isolate the affected systems immediately. Disconnect from the network — wired and wireless. Don't power off; you may lose forensic evidence in volatile memory.
- Notify your incident response team. If you don't have one, this is the moment you realize you needed one. Engage legal counsel early — attorney-client privilege matters in breach investigations.
- Identify the malware type. Ransomware, trojan, wiper — each requires a different response. Your EDR console or security vendor can help with initial identification.
- Do not pay a ransom without consulting law enforcement and legal counsel. The FBI advises against payment because it funds criminal operations and doesn't guarantee data recovery.
- Preserve evidence. Forensic images of affected systems, network logs, email headers — all of it. You'll need this for law enforcement, insurance claims, and regulatory reporting.
- Report the incident. File a report with the FBI's IC3 at ic3.gov. If you're in a regulated industry, check your notification obligations under HIPAA, PCI DSS, state breach notification laws, or GDPR.
- Conduct a post-incident review. How did the malware get in? What detection failed? What process broke down? Use this to improve — not to blame.
The $4.88M Lesson Most Organizations Learn Too Late
Every malware incident I've investigated shares a common thread: it was preventable. Not with a single product. Not with a bigger budget. With layers — patching, training, MFA, segmentation, detection, and response planning working together.
Security awareness is the foundation. When your employees can recognize a phishing email, question an unexpected attachment, or report a suspicious login prompt, they're doing more to stop malware than any single technology investment. That's why I recommend starting with practical, role-relevant training that builds real skills — not checkbox compliance.
Start your team with cybersecurity awareness training at computersecurity.us, and layer on targeted phishing simulation training to test and reinforce those skills in realistic scenarios.
Malware isn't going away in 2025. The threat actors are more organized, the tools are more sophisticated, and the attack surface keeps expanding. But the organizations that invest in their people, their processes, and their defenses don't just survive — they make attackers move on to easier targets.
Be the harder target.