How malware gets onto your devices, how it behaves, and how to get rid of it.
What Is Malware
Malware is any software written to harm you, your data, or your device. The word is an umbrella over a long list of categories that overlap in messy ways.
| Malware Type | What It Does | Impact |
|---|
| Virus | Attaches to files, spreads when executed | Corrupts files, spreads to others |
| Worm | Self-replicates across networks | Consumes resources, spreads rapidly |
| Trojan | Disguises as legitimate software | Provides attacker access |
| Ransomware | Encrypts files, demands payment | Loss of data, financial extortion |
| Spyware | Monitors your activity | Privacy invasion, credential theft |
| Adware | Displays unwanted advertisements | Annoyance, performance impact |
| Keylogger | Records keystrokes | Captures passwords, messages |
| Rootkit | Hides deep in system | Persistent, hard to detect |
| Cryptominer | Uses your computer to mine cryptocurrency | Slows system, increases power bill |
How Malware Spreads
| Vector | Example | Prevention |
|---|
| Email attachments | "Invoice.pdf.exe" | Don't open unexpected attachments |
| Malicious downloads | Fake software updates | Download from official sources only |
| Drive-by downloads | Compromised websites | Keep browser updated |
| USB drives | Found/borrowed drives | Don't plug in unknown drives |
| Pirated software | "Free" premium software | Use legitimate sources |
| Malicious ads | Malvertising | Use ad blocker |
| Fake apps | Impersonation in app stores | Check reviews, developer info |
| Software vulnerabilities | Unpatched systems | Keep everything updated |
Ransomware
Ransomware deserves its own section because it has caused more individual heartbreak than any other malware category. Photos, tax records, school assignments, all gone in an afternoon.
How Ransomware Works
| Stage | What Happens |
|---|
| Infection | Malware installed via phishing, exploit, or download |
| Reconnaissance | Scans for valuable files |
| Encryption | Locks your files with attacker's key |
| Ransom demand | Pay in cryptocurrency or lose files |
| Timer | Pressure to pay quickly |
| Data theft | Modern ransomware also steals data first |
Ransomware Prevention
| Action | Why It Helps |
|---|
| Regular backups (3-2-1 rule) | Restore without paying |
| Offline backups | Ransomware can't encrypt disconnected drives |
| Update all software | Patches vulnerabilities used for infection |
| Email caution | Most ransomware arrives via phishing |
| Antivirus/antimalware | Detects known ransomware |
| Limit admin access | Reduces damage scope |
If You Get Ransomware
| Do | Don't |
|---|
| Disconnect from network immediately | Pay the ransom (usually) |
| Document everything | Try to negotiate |
| Report to authorities | Delete the ransomware note |
| Check for free decryptors | Assume data is lost |
| Restore from backup | Restore to infected system |
Free decryptor resources:
- NoMoreRansom.org (joint project of Europol and several vendors)
- ID Ransomware (id-ransomware.malwarehunterteam.com)
Should You Pay the Ransom
| Considerations | Reality |
|---|
| No guarantee of decryption | Some attackers take money and disappear |
| Funds criminal enterprise | Encourages more attacks |
| May be targeted again | Known to pay = attractive target |
| Some data may be lost anyway | Decryption isn't always complete |
| Legal issues in some cases | Paying certain groups may violate sanctions |
If you have a working backup, do not pay. If you don't, get a professional involved before any payment decision.
Spyware and Stalkerware
Spyware Types
| Type | Purpose | Concern Level |
|---|
| Commercial tracking | Advertising data | Moderate (privacy) |
| Keyloggers | Capture passwords | High |
| Screen recorders | See all activity | High |
| Stalkerware | Intimate partner surveillance | Critical |
| Government spyware | Surveillance | Varies by country |
Signs of Spyware
| Symptom | Possible Cause |
|---|
| Battery draining faster | Background monitoring |
| Increased data usage | Sending data to attacker |
| Phone gets hot when idle | Hidden processes running |
| Unfamiliar apps | Monitoring software installed |
| Settings changed | Someone else has access |
| Device slower than normal | Malware consuming resources |
Stalkerware Concerns
If you suspect an abusive partner installed monitoring software:
| Do | Don't |
|---|
| Seek help from domestic violence resources | Immediately remove it (may alert abuser) |
| Use a safe device to research | Assume you're not being monitored |
| Document evidence | Confront abuser without safety plan |
| Contact law enforcement if safe | Use shared accounts for sensitive communication |
Resources:
- National Domestic Violence Hotline: 1-800-799-7233
- Coalition Against Stalkerware: stopstalkerware.org
Antivirus and Antimalware
What Protection to Use
| Platform | Built-in Option | Third-Party Options |
|---|
| Windows 10/11 | Microsoft Defender (good) | Bitdefender, Norton, ESET |
| macOS | XProtect (basic) | Malwarebytes, Bitdefender |
| Android | Play Protect (basic) | Bitdefender, Norton |
| iOS | Locked-down system | Generally not needed |
| Linux | ClamAV (basic) | ESET, Sophos |
Choosing Security Software
| Feature | Why It Matters |
|---|
| Real-time protection | Blocks threats before execution |
| Regular updates | Detects new threats |
| Low system impact | Doesn't slow down your computer |
| Ransomware protection | Extra defense against file encryption |
| Web protection | Blocks malicious websites |
| Reputation | Proven track record |
What Security Software Won't Do
| Misconception | Reality |
|---|
| Block all malware | New threats can slip through |
| Protect against phishing clicks | Can warn but can't stop you |
| Fix all vulnerabilities | Updates still required |
| Remove advanced rootkits | May need full reinstall |
| Prevent social engineering | Human judgment still needed |
Safe Downloading Practices
Software Sources
| Source | Safety | Notes |
|---|
| Official developer website | Best | Verify URL carefully |
| Official app store | Very good | Still check reviews |
| Package manager (Linux) | Very good | Maintained repositories |
| Reputable download sites | Moderate | May include bundled software |
| Torrent/pirate sites | Dangerous | High malware risk |
| Random websites | Dangerous | Often malware distribution |
Verifying Downloads
| Verification Method | What It Does |
|---|
| Check URL carefully | Ensure official site |
| Verify file hash | Confirm file wasn't modified |
| Check digital signature | Confirm legitimate publisher |
| Scan with VirusTotal | Multiple antivirus check |
| Read recent reviews | Others may report issues |
Browser Extension Safety
| Safe Practices | Risky Behaviors |
|---|
| Install from official store | Install from random websites |
| Check permissions requested | Grant all permissions blindly |
| Read reviews and ratings | Install first thing you find |
| Limit number of extensions | Install many extensions |
| Remove unused extensions | Leave old extensions installed |
Keeping Systems Updated
Why Updates Matter
| Update Type | What It Fixes |
|---|
| Security patches | Known vulnerabilities |
| Bug fixes | Potential exploit entry points |
| Feature updates | Sometimes include security improvements |
| Definition updates | New malware signatures |
What to Keep Updated
| Component | Update Frequency |
|---|
| Operating system | Enable automatic updates |
| Web browser | Enable automatic updates |
| Antivirus definitions | Automatic, multiple times daily |
| Other applications | Check weekly |
| Router firmware | Check monthly |
| IoT devices | Check when available |
Update Best Practices
| Do | Don't |
|---|
| Enable automatic updates | Delay updates indefinitely |
| Restart when prompted | Ignore restart requests |
| Update all devices | Forget about tablets, phones |
| Check for router updates | Assume router updates itself |
| Verify update authenticity | Click popup "update" warnings |
Recovering from Malware
If You Suspect Infection
| Step | Action |
|---|
| 1. Disconnect | Remove from network (unplug ethernet, disable WiFi) |
| 2. Don't panic | Assess calmly, document what happened |
| 3. Boot safely | Safe mode or from clean media |
| 4. Scan thoroughly | Use multiple antimalware tools |
| 5. Change passwords | From a clean device |
| 6. Monitor accounts | Watch for unauthorized activity |
| Tool | Use Case |
|---|
| Malwarebytes | General malware removal |
| HitmanPro | Second opinion scanner |
| ESET Online Scanner | Browser-based scan |
| Kaspersky Virus Removal | Standalone removal tool |
| Windows Defender Offline | Boot-time scan for Windows |
When to Reinstall
| Scenario | Recommendation |
|---|
| Ransomware infection | Wipe and restore from backup |
| Rootkit detected | Full reinstall recommended |
| Persistent reinfection | Wipe, reinstall, check for root cause |
| Unknown infection severity | Consider reinstall to be safe |
| Sensitive data at risk | Reinstall for certainty |
Malware Prevention Checklist
Daily Habits
| Practice | Benefit |
|---|
| Think before clicking | Avoid phishing and malicious downloads |
| Keep antivirus running | Real-time protection |
| Don't run unknown software | Avoid trojan infections |
Weekly Tasks
| Task | Purpose |
|---|
| Run full antivirus scan | Catch anything missed |
| Check for software updates | Patch vulnerabilities |
| Review installed programs | Remove unfamiliar software |
Monthly Tasks
| Task | Purpose |
|---|
| Update router firmware | Patch network vulnerabilities |
| Verify backups work | Ensure ransomware recovery |
| Review browser extensions | Remove unused, check permissions |
Special Malware Concerns
Cryptominers
| Signs | Impact |
|---|
| High CPU usage when idle | Shortened hardware lifespan |
| Computer runs hot | Higher electricity bills |
| Fans running constantly | Slower performance |
| Battery drains quickly | Mobile device unusable |
Browser-Based Threats
| Threat | Prevention |
|---|
| Malicious websites | Use browser protection, update browser |
| Cryptojacking scripts | Use script blocker, uBlock Origin |
| Fake download buttons | Look carefully, use ad blocker |
| Browser hijacking | Review and remove bad extensions |
Fake Antivirus (Scareware)
| Signs | What to Do |
|---|
| Popup saying you're infected | Don't call the number |
| Demanding payment to "clean" | Close browser, run real scan |
| Can't close popup easily | Force quit browser |
| Fake scan results | Ignore, use legitimate antivirus |
Key Takeaways
- Backups are the only ransomware defense that works. Use the 3-2-1 rule: 3 copies, 2 media types, 1 offsite.
- Keep everything updated. Most malware lives on patched vulnerabilities you didn't patch.
- Download from official sources. Pirated software is the most reliable malware delivery service.
- Built-in protection is usually enough. Microsoft Defender is fine for most home users.
- Don't run things you don't trust. Especially if a popup says "click here to fix".
- Browser hygiene matters. uBlock Origin and an updated browser stop a lot of attacks.
- Disconnect when infected. Stops spread and stops data exfiltration.
- Two scanners catch what one misses. Use a second-opinion scanner like Malwarebytes.
- When in doubt, reinstall. It's the only way to be sure.
- Stalkerware is abuse. If you suspect it, get help from a safe device first.
Next Steps
Continue to 06-network-security.md to lock down the front door: your home router, WiFi, and the IoT zoo behind it.