Malware vs. ransomware: What's the difference?
Ransomware is a type of malware, or malicious software. While all ransomware is malware, not all malware is ransomware.
Cyber attacks are escalating globally, and no one is safe. The number of ransomware attacks, in particular, has exploded in recent years.
While a layperson might use the terms malware and ransomware interchangeably, it's important to know that doing so is not always accurate. Rather, ransomware is a subset of malware. All ransomware is malware, but not all malware is ransomware. Also note that some ransomware variants qualify as other types of malware, such as Trojans and worms.
What is malware?
Malware is an umbrella term for any malicious software that enables an attacker to perform some degree of unauthorized activity on a device or in a system. Threat actors often deliver malware via phishing or other social engineering attacks, or by exploiting unpatched software vulnerabilities.
A wide variety of malware exists, including the following types:
- Adware. Some adware is legitimate, showing advertisements to consenting users while they interact with a given application. Malicious adware aims to trick users into downloading other types of malware, such as spyware, to their devices.
- Ransomware. This type of malware takes private digital resources hostage. Attackers demand ransom payments in exchange for returning victims' access to their computer systems and data.
- Rootkits. A rootkit is software that can give a cybercriminal remote administrative control over a device, without alerting the user. A threat actor might use a rootkit to steal data or to co-opt a computer into a botnet. Rootkits also deliver other types of malware, such as keyloggers and spyware.
- Scareware. Scareware is a type of malware that tries to frighten victims into falsely believing threat actors have already compromised their devices. Scareware tactics often include pop-up windows or phishing emails that urge users to download -- and often pay for -- corrective security software, which is actually dummy software or malware in disguise. The goal of a scareware attack could be to steal financial credentials, infect devices with additional malware or both.
- Spammers. If attackers seize control of an account or device, they can deploy malicious code that pumps out thousands and thousands of spam emails. This type of malware hijacks a victim's system to use as an email blast platform, or spambot.
- Spyware. Spyware records the activities of unwitting users, such as websites they visit and information about their computer systems. Spyware that records keystrokes is called a keylogger. It is designed to steal credit card numbers, passwords, bank account numbers and other sensitive data.
- Trojans. Trojan horse malware looks like an innocuous file or program, but secretly delivers a malicious payload. Ransomware that attackers deliver via phishing emails is also a kind of Trojan, in that the malicious payloads hide within seemingly harmless attachments or links.
- Viruses. Virus is a generic term for malware that can damage devices; copy, encrypt, steal and delete data; hijack devices for use in botnets; and more. Viruses spread when users inadvertently download them, often by clicking malicious links or opening suspicious email attachments.
- Worms. A worm is malicious software that can self-replicate once inside a system and spread laterally, infecting multiple devices across a network. Unlike a virus, a worm can propagate automatically, without requiring additional victims to click links or download files.
What is ransomware?
Ransomware is malware that locks down or encrypts digital resources, ranging from entire computer systems to select data. Ransomware operators hold these systems and files hostage, demanding ransom payments in exchange for restoring access.
Cybercriminals typically conceal ransomware in an infected attachment or malicious link and deliver it via a phishing attack. Alternatively, they can exploit software vulnerabilities or unsecured Remote Desktop Protocol (RDP) environments.
Once ransomware has successfully infected a system, threat actors scour the system for files containing sensitive data, such as personally identifiable information, financial information and health records. They then might encrypt the data, exfiltrate it or both.
In increasingly common double extortion ransomware cases, attackers both block users' access to their own resources and threaten to publish their sensitive data online. In triple extortion ransomware attacks, malicious actors add a third threat, such as launching a DDoS attack or extorting the victim's employees, partners or customers.
To decrypt its files and regain system access, an organization needs the attackers' decryption key, which it can theoretically obtain by paying the ransom. But not all victims that pay ransoms see their data fully restored. In some cases, the attackers install secret backdoors in systems so that they can repeatedly attack the same targets. Or attackers simply might not follow through with their side of the deal.
Cybercriminals usually demand ransoms in bitcoin or other cryptocurrencies because they are easier than traditional currency to send and receive anonymously, without interference from law enforcement or banks.
Learn how Colonial Pipeline operations came to a halt when a ransomware attack infected its systems.
What are the differences between malware and ransomware?
This is somewhat of a trick question, as ransomware is a type of malware.
Some ransomware even qualifies as multiple types of malware. WannaCry, for example, is both ransomware and a worm -- also known as a cryptoworm. Many ransomware programs are also Trojans, with attackers disguising them in apparently innocuous email attachments.
Here is a side-by-side glance at malware and ransomware:
| Malware | Ransomware | |
| Goal | Any malicious code designed to perform a variety of unauthorized actions, including damaging digital resources, stealing data and disrupting IT services. | Malicious code specifically designed to lock victims out of their own systems until they make ransom payments. Can also involve extortion, in which attackers exfiltrate data and threaten to publish it online. |
| Delivery | Delivered in many ways, including via email, USB drives, network worms, Trojans and malicious websites. | Primarily delivered via targeted phishing attacks, RDP attacks or exploited software vulnerabilities. |
| Removal | Some types of malware can be stopped or removed by antivirus software. | Hard to remove once an infection has occurred and the system has been locked or encrypted. |
| Motive | Motives for malware vary, ranging from idle criminal mischief to financial gain to nation-state espionage. | The motive in a ransomware attack is financial gain. As such, ransomware qualifies as serious criminal activity. |
| Technical effects | Range from mild performance degradation on a single device to total destruction of an enterprise network. | Often brings all digital activity to a halt until users pay the ransom, restore the system from backup or rebuild the system from scratch. |
How can organizations protect against ransomware and other malware?
Because ransomware often spreads via phishing attacks, many experts agree that an organization's most important defense is an educated, cautious user base. Security awareness training is key in preventing ransomware attacks.
Ransomware-specific security awareness training should educate users to never open email attachments or click links from unknown senders, and to regard even messages from known senders with healthy skepticism. If an email from an existing contact seems at all unusual, the user should confirm via another communication channel that the other person's account has not been compromised.
Another way businesses can protect themselves from ransomware attacks is to create offline data backups. Reliable backups should ideally enable them to restore their data without paying ransoms. Note that this will not protect against extortion-based ransomware attacks in which bad actors threaten to leak or publicly share stolen data.
Enterprises should also employ defense-in-depth security strategies that include some combination of the following:
- Allowlists/blocklists.
- Antimalware.
- Antivirus.
- Email security gateways.
- Endpoint detection and response.
- Endpoint protection.
- Extended detection and response.
- Firewalls.
- Intrusion detection and prevention.
- Least-privilege access control.
- Managed detection and response.
- Multifactor authentication.
- Network traffic analysis.
- Zero-trust network access.
