Indications of Malware Attacks

9 Common Indicators of Malware Attacks

• Account Lockouts
  • Malware, especially those designed for credential theft or brute force attacks, can trigger multiple failed login attempts that would result in a user’s account being locked out
• Concurrent Session Utilization
  • If you notice that a single user account has multiple simultaneous or concurrent sessions open, especially from various geographic locations
  • Seeing it, may be a god indication that some kind of malware has hijacked the user's account is now using it for their own malicious activities
• Blocked Content
  • If there is a sudden increase in the amount of blocked content alerts you are seeing from your security tools
  • This is a strong indication that a malware infection may have successfully penetrated your system.
• Impossible Travel
  • Refers to a scenario where a user's account is accessed from two or more geographically separated locations in an impossibly short period of time
  • Impossible Travel is an indication that an account has been compromised, often due to some kind of malicious activity or as an aftermath of a successful malware attack that was able to harvest your user's credentials like their username and password.
• Resource Consumption
  • If you are observing any unusual spikes in CPU, memory, or network bandwidth utilization that cannot be linked back to a legitimate task
  • Could be an indication of a malware attack.
  • High resource consumption can lead to system slowdowns that indicate a malware injection
• Resource Inaccessibility
  • Ransomware
    • Form of malware that encrypts user files to make them inaccessible to the user
  • If a large number of files or critical systems suddenly become inaccessible or if users receive messages demanding payment to decrypt their data
  • This is a clear sign of a ransomware based malware attack.
• Out-of-Cycle Logging
  • If you are noticing that your logs are being generated at odd hours or during times when no legitimate activities should be taking place (such as in the middle of the night when no employees are actively working)
  • Review logs regularly to detect out-of-cycle logging
• Missing Logs
  • If you are conducting a log review as a cybersecurity analyst and you see that there are gaps in your logs or if the logs have been cleared without any authorized reason
  • A large gap in logs is an indication of malicious activity or malware attack by covering their attacks
• Published or Documented Attacks
  • If a cybersecurity research or reporter published a report that shows that your organization’s network has been infected as part of a botnet or other malware-based attack
  • Serve as your notice that you have been attacked!