NAKIVO > Blog > Multiplatform

Virus, Ransomware and Malware: The Differences Explained

Updated: October 2, 2024

Written by: NAKIVO Team

When it comes to cybersecurity, some terms are often used interchangeably, which can be confusing. The first malware attacks were often referred to as viruses. Similarly, the first cybersecurity products were often presented as antivirus solutions, reinforcing the idea that viruses are the major cyberthreat. However, over the last few decades, the strategies used by cybercriminals have evolved greatly, resulting in new types of malicious software with different delivery methods, goals and effects on your systems.

Understanding the differences between viruses, malware and ransomware can help you identify the risk early, put in place the right prevention measures for different scenarios and avoid data loss.

Say no to ransoms with NAKIVO

Say no to ransoms with NAKIVO

Use backups for fast data recovery after ransomware attacks. Multiple recovery options, immutable local and cloud storage, recovery automation features and more.

DISCOVER SOLUTION

What Is Malware?

Malware, short for “malicious software”, is a general concept that includes any external malicious code that can damage a device or corrupt data. When talking about cybersecurity in general, malware is usually the broadest term that can be used in most contexts. Ransomware and viruses are two types of malware. Other types of malware include:

  • Spyware allows hackers to track the activity of another device. Spyware gathers personal data, such as credit card information, passwords, usernames, etc., to be used by hackers later to break into machines.
  • Bots are malware that connects hacked machines to a central server. This network of machines is known as a botnet. Botnets can remain undetected, even when they include millions of devices. While using the power of a hacked machine, botnets can send phishing messages and spam, steal personal information and perform denial-of-service (DDoS) attacks.
  • Rootkits allows hackers to control a device without the user being aware of it. Once installed, a rootkit can change system configuration and download other malicious files.
  • Worms are programs that automatically spread between computers on the same network without a host file. Worms can delete or modify information, steal data or install additional malware. Worms aren’t that popular today, but other malicious software still use the same attack method.
  • Trojan Horses, unlike worms, need a host to function. They are undercover malware, as they are generally disguised as legitimate files. Trojans mainly spread through phishing. However, it is not the only way. Trojan attacks sometimes appear integrated into a fake antivirus that pops up on a website offering protection for a device. Once installed on a computer, Trojans allow spying and data modification.
  • Adware is malware in the form of well-known pop-ups. It usually goes hand in hand with free games or other unlicensed programs. Sometimes, the only threat it poses is slowing down your machine. However, in some cases, it can also lead to spyware installation.
  • Fileless malware is malicious code that goes straight into the computer’s memory and corrupts trusted programs like PowerShell or Windows scripts. Unlike other types, fileless malware usually doesn’t leave a malware trace and, thus, is harder to detect by scanners.

However, viruses and ransomware are the most widespread types of malware.

What Is a Virus?

A virus is a malicious program that spreads through infected websites and files. When a device is exposed to a virus, the virus is installed and starts running without the user’s knowledge. Viruses can corrupt data, damage a device and interfere with its performance, formatting the hard drive. Some viruses can replicate and spread across a local network. Even a simple virus can significantly slow down the system by using the computer’s memory and cause frequent crashes.

How do viruses spread?

Even careful system administrators and users, who take precautions against potential malware threats, have probably been exposed to a virus at some point. Viruses spread in various ways. A virus can get into an environment’s network through everyday activities like:

  • Exchanging data between devices
  • Visiting infected websites (a device can get infected even without downloading files)
  • Downloading torrent files or other free software
  • Using external storage devices (like USB drives) that were previously connected to an infected computer
  • Opening infected email attachments

Viruses: myths and facts

Myth 1: You’ll definitely know when your computer gets infected.

Fact: Malware often spreads undetected. That’s why you won’t always be able to tell whether a device is infected.

Myth 2: Credible websites don’t contain viruses and other malware.

Fact: Hackers can run malicious ads on reputable websites. Even viewing an ad without clicking on it can install malware. Sometimes, even the most well-known websites can be infected with malware.

Myth 3: Apple devices are safe from viruses.

Fact: This is a deeply rooted misconception because any device can get infected, whether running macOS or another OS. Hackers refine their programs to penetrate any system and environment.

Myth 4: Emails from credible sources can’t be infected. It’s always safe to open email attachments from trusted sources.

Fact: Even when an email comes from a trusted source (colleague, friend, etc.), there is no guarantee that it is safe. Some viruses sneak into the contact list and infect emails. So, if an email attachment seems suspicious, it’s better to avoid opening it.

Myth 5: When there isn’t any critical data on a computer, malicious software is not a threat.

Fact: Even if a device doesn’t store any critical data, malware still poses a threat to security. Malware rarely looks for data. Instead, it accesses a contact list to send spam emails or uses the memory and power of a machine and, as a result, of the whole network.

Myth 6: Firewalls offer complete virus protection.

Fact: Firewalls provide various types of protection, mainly filtering traffic and restricting unauthorized access to data. However, malware can still access a device and spread through the network.

What Is a Ransomware Virus?

Strictly speaking, there is no such term as “ransomware virus”. Unlike viruses, ransomware is not a self-replicating infection, but criminals can use viruses as part of more complex ransomware attacks. Ransomware functions based on encryption, one of the most effective security technologies initially created to protect computers. Encryption transforms data into a secret code that can only be decoded by using a decryption key.

Hackers request victims to pay a ransom, usually in Bitcoin, to obtain the decryption key and regain access to their files. However, not all ransomware attacks aim for financial gain. In some cases like with ransomware wipers (for example, NotPetya), the hacker’s goal is disruption or data removal, so criminals can generate fake crypto wallet addresses or request their victims to pay unrealistic ransoms.

Naturally, companies are afraid of lost trust and reputational damage. So, paying the ransom seems like a quick solution to resolve the situation. However, paying the ransom never guarantees regaining access to your systems.

Instead of financing hackers and wondering if you can regain access to your data, a much better solution is to back up your workloads. The best approach to ransomware protection is having a 3-2-1 backup plan that includes immutable and air-gapped backups. Such a plan means that you should have a minimum of three (3) backup copies, store two (2) of them on different media, and keep one (1) offsite. With this backup plan, your recovery process will be fast and simple, even after a ransomware attack.

How does ransomware spread?

Some of the most common ways that ransomware spreads are:

  • Phishing emails are spam emails that include a malicious attachment or link. Once the attachment or link is opened, ransomware is downloaded on the machine. Sometimes the sender of the email can be someone in your contacts.
  • Links in messages on social media can contain a malicious link that can activate ransomware on a device.
  • Malicious websites can lead to ransomware deployment after you visit them. This is common on streaming video platforms and other free-content websites.
  • Additional malware attacks devices that already belong to a botnet (a server that groups hacked computers). In this case, the device gets infected further with additional malicious software.

Ransomware: myths and facts

Myth 1: Ransomware attacks businesses and not individuals.

Fact: Ransomware doesn’t differentiate. Both individuals and businesses can be targets of ransomware attacks.

Myth 2: You always get data back after paying the ransom.

Fact: In the majority of cases, those who pay the ransom do not regain access to their data. Paying the ransom seems like an easy and fast solution to make the problem go away. However, paying the ransom means financing cybercrime and incentivizing hackers to carry out more attacks without having any guarantees of getting decryption keys.

Myth 3: Ransomware can’t encrypt backups.

Fact: While regular backups are the best way to protect your data, there’s a risk that these backups could include infected workloads or be corrupted by third parties. To mitigate these risks, it’s essential to run regular malware scans, follow the 3-2-1 backup rule, and implement security measures such as encryption, immutability and role-based access control to backup data. Comprehensive solutions like NAKIVO Backup & Replication enable you to overcome these risks with backup, disaster recovery and ransomware protection capabilities, all from a single pane of glass.

Ransomware vs. malware vs. virus

Malware Ransomware Virus
Classification Malware is a general term to describe any malicious software. Ransomware is a type of malware. A virus is a type of malware.
Attacker’s goal Malware is designed to cause a wide range of damage to a computer, depending on the type of malware. Ransomware is designed to block access to data until a user pays a ransom. A virus is designed as a malicious code attached to a separate file. A virus can format a hard drive, or it can be harmless.
Impact on the system Malware can control and steal data, use the resources of a computer, destroy the system, etc. Ransomware locks the system and encrypts all data. Viruses can damage a device, corrupt data, degrade the performance of a device, etc.
Variety There are many kinds of malware: worms, spyware, rootkits, trojans, ransomware, etc. There are three most common types: locker, doxware and crypto. Viruses come in different forms: file infector, macro virus, polymorphic virus, etc.
Delivery method Depending on the type, malware can spread through emails, data installation, web surfing, exploitation of system vulnerabilities, etc. Some malware types can only be triggered by a user, while others can infect the system without any user input. Ransomware is mainly spread as a malicious attachment to phishing emails or as links in social media posts. Viruses spread while downloading or exchanging files, visiting malicious websites, etc. and are triggered by a user.
Ease of removal Following cybersecurity rules and backing up data is the best solution to prevent malware infection and protect data. Ransomware is one of the trickiest malware. The best “cure” for ransomware is prevention and backup. One of the most common and effective ways to protect a device from viruses is antivirus software.

How to avoid ransomware, viruses and other threatware?

After learning the differences between the types of malware, the first question that comes to mind is: Can a malware attack be prevented? There are multiple ways a user can secure a device from getting infected. The best solution is to follow basic cybersecurity rules:

  • Get antivirus, antispyware and firewall protection, and always keep it up-to-date.
  • Update your operating system and applications regularly.
  • Improve your browser security settings and block pop-ups.
  • Avoid opening messages and emails from unknown senders.
  • Don’t open suspicious attachments, links and websites.
  • Evaluate free programs, files and software before downloading.
  • Set strong passwords and change your login details regularly.

Sticking to these rules minimizes the risk of having malicious software infect a device. However, nothing can guarantee 100% security. That’s why it is crucial to back up your data in multiple locations, preferably sticking to the 3-2-1 backup plan that includes immutable, encrypted and air-gapped backups. This way, even in case of a ransomware attack, you will be able to restore your data with a few clicks.

How to detect malware?

Another frequent question is how to determine whether a computer or a network has been infected. A computer might be infected if you experience some of the following issues:

  • Slow computer performance and frequent crashes
  • Unstable computer behavior (a computer sends messages or spam emails without the user’s involvement, or opens/closes programs, etc.)
  • Unexplained data loss
  • Pop-ups and other messages displayed on your screen
  • Blue screen of death (BSOD)

The best approach, however, is to use comprehensive malware detection software that combines multiple detection methods with machine learning. Such solutions can scan your system for known virus signatures or identify similar code patterns, monitor systems for unusual activities and run sandbox tests with suspicious files.

How to remove malware?

Detecting and removing malware can be a complicated task. Unless you are a professional, it is easy to miss some elements and get it wrong. Additionally, it is hard to say if malware modified the system to an extent where reversing the damage has become impossible. A typical procedure for removing malware is:

  • Run an antimalware software to scan for potential threats.
  • Once malware is detected, delete infected files.
  • If it can’t be done automatically, check with your security vendor’s technician for assistance.
  • After formatting a drive, recover data from backups (some backup solutions, including NAKIVO Backup & Replication, allow you to scan backups for malware before performing recovery) and reinstall the programs if needed.
  • Analyze how a computer got infected to prevent malware attacks in the future.
  • Take time to inform all users of cybersecurity rules.

If some of your files are encrypted as a result of a ransomware attack, do the following:

  • Never pay the ransom.
  • If an infected computer is connected to a network, unplug it or switch off the access point (in case of Wi-Fi connection).
  • Take a picture of the lock screen displayed on the monitor. It may help identify the type of ransomware.
  • Use any read-only media with antimalware software, scan all disks of the computer and delete malware.
  • If anything goes wrong, contact a specialized technician.

The Most Damaging Malware

MyDoom

Cyberattacks don’t result only in data corruption and computer damage but also in significant financial losses. One of the most expensive cyber attacks was caused by the malware MyDoom, which resulted in an estimated $38 billion of damage. Technically, MyDoom, also known as Novarg, is a worm that spreads through phishing emails.

The severity of the attack was the result of the sheer volume of email sent. At one point in 2004, MyDoom was responsible for sending out a quarter of all emails. After infecting computers, MyDoom took all of the email lists and sent copies of itself around. The infected computers then formed a botnet to perform DDoS attacks.

MyDoom is still circulating. Even 16 years after its creation, MyDoom still sends more than a billion emails with a copy of itself. The creator of this worm was never found, even though a reward of $250,000 was offered for finding the attacker(s).

ILOVEYOU

The creation of this malware was a turning point, or better said, a point of no return. ILOVEYOU was one of the first cyberattacks conducted through email. This worm managed to infect 50 million computers in 10 days, causing a total of $15 billion of damage. First, it sent an email that looked like a love letter. And after installation, it sent 50 more malicious emails to a victim’s contacts.

The worm was developed by Onel de Guzman, a college student from the Philippines. As he didn’t have sufficient funds, he programmed the worm to log into the online services with an admission fee. He couldn’t imagine how big it would get. At the time, the Philippines didn’t have any laws against cybercrime, so Onel de Guzman was never prosecuted. Now 44, the hacker lives in Manila and regrets the creation of ILOVEYOU.

WannaCry

WannaCry first appeared in 2017. This ransomware infected more than 200,000 computers in around 150 countries, causing more than $4 billion in damage. WannaCry caused massive losses not only for businesses and individuals but also for governmental institutions and hospitals. The hackers demanded a ransom of $300 in bitcoins. Later the ransom was increased to $600.

It turned out that malware took advantage of Microsoft’s vulnerability in the Server Message Block (SMB) protocol. Two months before the ransomware attack, Microsoft released a security patch to protect users’ systems. However, those who didn’t keep their operating systems up-to-date were exposed to the WannaCry attack.

NotPetya (ExPetr)

The 2017 Russian cyberattack known as NotPetya stands out as one of the most devastating ransomware attacks to date. Taking only 45 seconds to bring down the entire bank network, NotPetya affected over 2,000 organizations worldwide, including industry giants like Maersk, Merck, FedEx subsidiary TNT Express, and Mondelez. The estimated cost of the damage surpassed $10 billion, yet the actual losses far exceeded this figure. For example, Maersk needed 10 days and 600 personnel to rebuild the network, with full recovery taking months.

Reportedly intended to target the Ukrainian government, NotPetya was a ransomware wiper designed for disruption and destruction rather than financial gain. The ransomware exploited the US EternalBlue penetration tool (leaked in a prior data breach), which was also used in the WannaCry attack earlier that year, and Mimikatz, a known security vulnerability since 2011. Unlike earlier Petya versions that needed user interactions to infect the system, NotPetya could spread across networks in seconds disguising itself as a routine accounting software update.

Ryuk

The first Ryuk attack on Tribune Publishing in 2018 caused disruptions at the New York Times and the Wall Street Journal, delaying their printing for several days. Later, the hacker group Wizard Spider used Ryuk to target large governmental, healthcare, educational and manufacturing organizations around the globe. Ryuk ransomware has been associated with the largest ransoms of up to $12.5 million, while the overall hacker’s gain reached $150 million by 2021.

Ryuk typically penetrates the system through spam emails carrying a TrickBot infection. Ryuk is also one of the most widely used ransomware as a service (RaaS) software on the darknet. Developers sell it to other hackers, taking a percentage of a successful ransom payment.

ShrinkLocker

Overview of ShrinkLocker

ShrinkLocker is a new ransomware strain discovered by Kaspersky in May 2024. This ransomware exploits the Windows encryption feature BitLocker to lock users out of their devices without any recovery options.

How ShrinkLocker exploits Windows BitLocker

ShrinkLocker is based on the deprecated programming language for Windows – VBSscript. After entering the system, it first identifies the Windows OS and either shuts down (2000, 2003, XP, Vista) or runs the parts of its code that correspond to the specific OS.

ShrinkLocker exploits BitLocker to encrypt data and then remove default protectors like PIN, startup key, recovery key, etc., leaving victims with no means to recover encrypted data. Criminals then gain access to BitLocker’s encryption key using TryCloudflare—the legitimate CloudFlare’s tool for developers. After a successful attack, ShrinkLocker deletes all its files and clears PowerShell logs to evade detection.

It’s not the first time ransomware has used BitLocker to encrypt data, however, the new strain went further to maximize damage and make it harder to detect. Microsoft announced that BitLocker will be automatically activated in Windows 11 24H2, which increases the potential scope of victims.

Examples of ShrinkLocker attacks

So far, this ransomware has attacked steel and vaccine manufacturers in Mexico, Jordan and Indonesia. The attackers don’t leave a ransom file and intentionally make their contact email addresses hard to notice, which suggests that they aim for disruptions rather than the ransom itself.

Conclusion:

Cybersecurity is one of the most critical challenges today. Viruses and ransomware, together with other types of malware, pose a severe threat to data integrity and security. The best solution for avoiding attacks is following the general rules of cybersecurity. To avoid a long process of recovery and rebuilding a system from scratch, back up your data.

The NAKIVO solution’s advanced functionality helps you establish a comprehensive approach to data backup, recovery and security. Find the best solution to meet your needs with NAKIVO Backup & Replication.

Try NAKIVO Backup & Replication

Try NAKIVO Backup & Replication

Get a free trial to explore all the solution’s data protection capabilities. 15 days for free. Zero feature or capacity limitations. No credit card required.

Try for Free

People also read

Picture
A Guide to the General Data Protection Regulation
Picture
8 Proven Practices to Protect Against Ransomware
Picture
2023 Data Protection Trends for IT Infrastructures