Malware-as-a-Service and the rise of DIY cybercrime

malware as a service

Cybercriminals are always looking for the next sophisticated method to target businesses. And as a small business owner, it can sometimes feel impossible to keep up with the latest developments. However, knowledge is power, which is why we bring you regular updates. Let’s explore the latest trends in DIY cybercrime and Malware-as-a-Service, and how to mitigate them. 

What is Malware-as-a-Service?

Malware-as-a-Service (MaaS) is a business model used by cybercriminals known as MaaS operators. MaaS operators lease their software, hardware, and related infrastructure to others for a fee. This enables malicious criminals to distribute pre-made malware, even with minimal coding skills. 

You might’ve heard of similar terms like a Software-as-a-Service model, where an end-user purchases a pre-made software solution for their business or personal use. MaaS is the same concept but with malicious software. MaaS operators distribute the software on the dark web and sometimes even provide customer support to nefarious clientele.

Did you know that 47% of SME leaders feel more at risk of a cyberattack since the beginning of the cost of living crisis? Find out why in our latest report.

What is DIY cybercrime?

DIY cybercrime, or do-it-yourself cybercrime, is where a cybercriminal uses a pre-made solution to execute malicious activity. For example, they purchase ready-to-use Malware-as-a-Service, quickly get it up and running, and then use it to distribute malware to their target.

The worrying thing about DIY cybercrime is that anyone can purchase and use an off-the-shelf tool. It has never been easier for criminals to distribute malware, engage in phishing, and more. 

At this point, you might be shaking your head and thinking, ‘D-I-WHY?!’ But don’t worry, all is not lost. You can dramatically reduce the threat to your business by putting the correct cybersecurity solutions in place.

Malware-as-a-Service examples


ZeuS, or ZBOT, is a MaaS package that runs on Microsoft Windows. It was designed to steal sensitive information like banking credentials. First detected in 2007, it has successfully targeted large organizations like Amazon, Bank of America, and NASA.


SpyEye is a computer program that infects victims’ devices and steals sensitive data. In a rare case of justice, the creator of SpyEye was caught and sentenced to nine and half years in US federal prison. However, this hasn’t stopped the presence of SpyEye across the internet.

Blackhole Exploit Kit

Released on an underground Russian hacking platform, Blackhole Exploit Kit made up 29% of all web threats in 2012, making it a significant threat. Since then, the exploit kit model has continued to transform and is still widely used by cybercriminals.  

How to prevent Malware-as-a-Service attacks 

Like all criminal activity, MaaS isn’t a threat that’ll soon disappear. But there are several simple steps to protect your business. Here’s what we think you should prioritise.

Educate employees

Most people don’t have in-depth knowledge of malware and DIY cybercrime. Due to the ever-changing nature of cybercrime, your employees must play a part in protecting your business. Make sure people know how to spot a malware attack in your business and provide them with training and resources so they stay informed.

Complete a cybersecurity certification

A cybersecurity certification, like Cyber Essentials, is an excellent way to quickly implement robust security measures in your business. This is because the steps to qualify help you attain certification status and proactively mitigate against malware. 

Additionally, many companies find that the steps help them identify overlooked vulnerabilities in their business that they might otherwise be unaware of. It covers a broad range of factors like:

  • Implementing data encryption
  • Using firewalls
  • Managing user access
  • Updating software and operating systems

For more information on accreditations, we recommend reading our guide to cybersecurity certifications in the UK.

Monitor your security round-the-clock

Certification is a great starting point for putting in place the right defences and building your cyber confidence. However, cybercriminals won’t only attack on certification day, so you need a way of monitoring your defences year-round. You could approach this manually, but beware it’ll be time-consuming and require familiarity with cybersecurity best practices.

An alternative is to use a cybersecurity monitoring service, like CyberSmart Active Protect, which checks for vulnerabilities around the clock and ensures everyone in your business is working safely. Likewise, a vulnerability management tool can help you get ahead of the latest developments in cybercrime.

Want to know more about the threats facing small businesses like yours? Then have a read of our SME cost of living crisis report. It’s packed full of insight into how small businesses are defending themselves during an economic downturn.

SME cost of living crisis

What is spear phishing?

What is spear phishing?

For many people, hearing the phrase ‘spear phishing’ conjures up images of intrepid divers hunting for their dinner in azure seas. However, much like ‘trojan horse’ the term has come to meet something quite different.

According to research, 50% of businesses were victims of spear phishing in 2022, with the typical organisation receiving 5 attacks daily. So the threat is real. But how does a spear phishing attack work? How does it differ from a phishing attack? Most critically, what can your business do to protect itself?

How a spear phishing attack works

Spear phishing is a form of phishing attack. However, unlike the ‘spray and pray’ approach of a conventional attack, spear phishing targets specific individuals, usually within a single organisation. The ‘spear’ in its name reflects this specific targeting.

A spear-phishing attack typically aims to gain privileged access. This is used to steal sensitive data or infect the target (and often their wider network) with malware.

Unlike your common-or-garden phishing attack, spear phishers assiduously research their targets. They do this so that the eventual attack appears to come from a trusted source, such as a boss or client. Spear phishing also uses social engineering techniques to dupe the victim into clicking on a link or granting access. 

Let’s delve a little deeper into how it works.

Trying to protect your business on a budget? Start by reading our guide.

Anatomy of a spear phishing attack

We’ve established what a spear phishing attack is, but how do they work? Typically, a spear phishing attack has five stages. These are:

1. Goal setting 

The first stage is a simple one. After deciding to turn to crime, the bad guys start by plotting out what they want to achieve with the attack. It could be stealing ransomable data, causing disruption or myriad other goals.

2. Picking the target(s)

This stage usually involves a round of preliminary research. Which organisation should they target? Who works at the business they want to target? Are they likely to have access to the data or systems they want to access? Who are the senior leaders within the target organisation? How can they be reached?

These are the questions a cybercriminal will seek to answer as they lay the groundwork. Once they have, it’s time to go a level deeper.

3. Building a profile of the victim(s)

By now, the cybercriminals should have a solid idea of which organisation they want to attack and who within it makes the best targets. Next, it’s a case of getting to know their victims. 

Spear phishers scour social media profiles and platforms like LinkedIn to discover contact details, the victim’s network of family and friends, business contacts, where they shop or bank, and even places they frequent. This information allows cybercriminals to build a rich profile of who the target is, allowing them to tailor the scam specifically to the victim.

4. Initiate contact and use social engineering techniques

Now the scheme has been devised, the cybercriminals launch their attack. Spear phishing emails usually use social engineering techniques such as creating a sense of urgency, trust or authority. The key to a good spear phishing scam is that it appears legitimate because the ‘sender’ is an individual or company the victim regularly engages with and contains at least some, authentic information.

The most expensive spear phishing attacks of all time

1. Google and Facebook 

This is perhaps the most famous phishing scam of all time. Between 2013 and 2015, Google and Facebook fell prey to a £77m Spear phishing campaign. Essentially, a Lithuanian cybercriminal named Evaldas Rimasauskas posed as an Asian supplier of both companies, sending fake invoices to key leadership figures within the tech firms. 

Rimasauskas was eventually caught but not before he’d managed to defraud two of the largest companies in the world out of an eye-watering sum. 

2. Ubiquiti Networks 

In 2015, networking giant Ubiquiti was hit with a £36.7m spear phishing campaign. According to the company’s statement on the breach, it resulted from “employee impersonation and fraudulent requests from an outside entity targeting the Company’s finance department.” In other words, the company fell victim to a classic spear phishing attack. 

3. Colonial Pipeline 

Of all the incidents on this list, the Colonial Pipeline attack in 2021 is the most sinister. It remains the largest publicly disclosed attack on US infrastructure to date. The breach was so serious that the US government considered it a national security threat. 

The attack had several stages. First, the hacker group DarkSide discovered a vulnerability exposed in a previous breach. A Colonial Pipeline employee had likely used the same VPN password in another location, exposing the company’s network.

Next, the hackers used this password to access the Colonial Pipeline, stealing over 100 gigabytes of data in just two hours. Following this, DarkSide injected the network with ransomware that infected several systems, including billing and accounting.

We don’t have a definitive figure for how much the breach cost Colonial Pipeline. We know the company paid DarkSide £3.47m for the decryption key for the ransomed data. However, the real losses could have been astronomical. Colonial Pipeline supplies oil to the entire US East Coast and the attack shut down its operations for a week. This meant the non-delivery of approximately 20 billion gallons of oil, worth around £2.7 billion at the time.

Spear phishing affects small businesses too 

Although all of the examples above feature globe-bestriding businesses, this doesn’t mean there’s no threat to small businesses. Unfortunately, nothing could be further from the truth.
According to research, on average the employee of a small business will experience 350% more phishing and social engineering attacks than a staff member at a larger enterprise. 

Why? Well, while cybercriminals are undoubtedly motivated by the prestige and financial rewards that come with the scalp of a global enterprise, small businesses represent an easy target.

SMEs typically have weaker defences and less developed cybersecurity practices than their corporate counterparts, for one. However, that’s not the only reason. SMEs’ employees can often be turned more easily to a cybercriminal’s malicious ends, whether through actively colluding with criminals or negligence.

Indeed, CyberSmart’s research revealed that 22% of SME leaders believe employees are more likely to make mistakes – such as clicking on a phishing link – since the cost of living crisis began. Meanwhile, 20% believe employees will steal sensitive or proprietary data from the company to sell for profit or a competitive advantage.

How to protect your business 

There’s no denying that small businesses are vulnerable to spear phishing attacks. Nevertheless, becoming a victim of this kind of breach isn’t inevitable. There are plenty of things you can do to ensure your business is protected.

1. Use a VPN 

A virtual private network (VPN) is essential for remote working. If your business employs anyone who accesses company systems through a network that isn’t your own, even if only occasionally, you need one. Unsecured networks pose a huge threat to your business which a VPN can easily counter. 

Rather than using the public network, a VPN routes your traffic through specialised servers and encrypts your data. This makes it virtually impossible for cybercriminals to break in through a public network (unless they have the password or encryption key as we saw in the Colonial Pipeline case).

2. Staff training 

As mentioned earlier, Spear Phishing relies on social engineering techniques, using our human nature against us. This is tricky to counter, but not impossible. Cybersecurity awareness training can help your people recognise when they’re being targeted and give them the skills they need to avoid it.

3. Patch all software

Patching is very important to cybersecurity and the good news is that it’s simple. All you need to do is update all software with the patches providers release. This will stop cybercriminals from exploiting any vulnerabilities in providers’ software to access your business.

4. Deploy MFA

Like VPNs multi-factor authentication (MFA) adds an extra layer of security for your business, making it much harder for hackers to gain access. You likely already use MFA in some aspect of your online life, it’s now a requirement for most banking accounts. But if you haven’t already, switch it on for any system or application your business uses.

5. Protect your network 

Your network is the gateway to your business. It’s what spear phishers are ultimately trying to gain access to when they attack you. Through it, a hacker can access just about anything your organisation does. So protect it, and protect it well. The four most simple things you can do to strengthen your network immediately are:

  • Install a network firewall to filter network traffic
  • Use a VPN to encrypt network traffic
  • Segment your network to eliminate single points of failure
  • Regularly update your router’s firmware

6. Always use back-ups 

If the worst does happen and a spear phishing attack succeeds in stealing information, data backups can mitigate the worst effects. Not only will it enable you to minimise disruption by getting systems back up and running quickly, but it’ll also weaken cybercriminals’ bargaining power if there’s a ransom to be paid.

7. Limit user access

Be careful to limit who has access to what within your business. Users should only have admin rights within a system or application if it’s critical for their role. The reason for this is simple; if a cybercriminal compromises a user account through a spear phishing campaign, the fewer permissions that account has the less damage a hacker can do.

8. Tie it all together 

If the list above appears extensive, don’t fear, there are methods which allow you to tie it all together. The first is to complete a cybersecurity accreditation like Cyber Essentials or ISO27001 certification. These certifications can help you put in place good cybersecurity practices (including all of the above) and build your cyber confidence.

However, you also need something that keeps your cybersecurity baseline consistently high, year-round. This is where everyday cyber protection tools like CyberSmart Active Protect can help.

Finally, none of this has to cost the earth. For more on how to protect your business on a budget, check out our guide.

Cost of living CTA 2

How nation-state cyber warfare affects you

Nation-state cyber warfare

We live in a time of increased international tensions. You can scarcely open a newspaper or browse a news site without being greeted by conflict, both in the real world and online. We’re only two months into 2024 and the National Cyber Security Centre (NCSC) and its international partners have already issued a public warning about state-sponsored attackers.

However, for the average small business or individual, this can seem very distant. Reports on the machinations of states and their security services can all feel ‘a bit James Bond’. Nevertheless, cyber warfare affects everyone. In this blog, we look at cyber warfare and why you should care.

What is nation-state cyber warfare?

Nation-state cyber warfare is best defined as:

Cyberattacks launched by one nation-state against another, targeting critical infrastructure, government agencies, businesses, and individuals.’

Nation-state cyber-attacks are often distinctive. The techniques employed are advanced, with highly skilled hackers tasked with executing bespoke malware. These operations are often phenomenally well-resourced, with money no object, and executed over long periods, often years.

Did you know that 47% of UK SMEs feel more threatened by cybercrime since the cost of living crisis began? Find out more in our latest report.

Why are nation-state attacks launched?

There are several reasons why countries engage in cyber warfare, from its use as an extended theatre of war to attempting to exert influence on rivals’ internal affairs.

Military operations

Cyber warfare can act as a further weapon in support of traditional methods, as we’ve seen in the current Russia-Ukraine conflict.


Another motivation is simple disruption, whether to send a message or destabilise an enemy. We’ve seen plenty of attacks on critical infrastructure such as power grids, financial systems, and transportation networks. Perhaps one of the most famous examples of this (although never directly attributed to any one state) is the Stuxnet worm that disabled the Iranian nuclear programme.


Espionage is probably the most common goal of nation-state cyber warfare. State-sponsored actors might attempt to steal military intelligence, intellectual property, personal data or other sensitive information from government bodies or their supply chains. Another common use is to spy on journalists, politicians and others in positions of influence.

For a very current example of this, check out the recent exposure of China’s ‘hackers for hire’ programme.

To influence operations 

Spreading misinformation, propaganda, or sowing discord can be used to destabilise a target nation. The most infamous examples of this are perhaps the 2016 US election and the UK’s Brexit referendum, with both being targeted by outside influences. And this is likely to become a live issue again as both the UK and US go to the polls in 2024.

Stealing funds

Nation-state attacks aren’t always for political gain. The past few years have seen the rise of nation-state actors simply stealing funds. For example, groups associated with North Korea, have stolen an estimated $2 billion (£1.6 billion) from at least 38 countries in the past five years.

Why does this matter to you?

Nation-state cyberattacks are a big deal, even if they don’t target you personally. For those of you who have seen ‘Leave The World Behind’ this film brings home the chilling reality of what a significant cyber attack upon a nation could look like.

What’s more, this isn’t all the work of Hollywood screenwriters. Statistics show that in 2021, 21% of nation-state attacks targeted consumers – ordinary people like you or me. 

The impact of these attacks can be significant too. Imagine no water or electricity because hackers targeted power grids. Or worse still, a hacked nuclear system and the apocalyptic consequences that could entail. 

Interestingly, between 2021 and 2023 we have seen a significant increase in nation-state cyber attacks against schools. Between July ‘22 and June ‘23, schools were the most targeted sector, with 16% of all such attacks being directed at them

The same report highlighted that 11% of attacks were directed at think tanks and non-government organisations – groups that will have some part in shaping elections.

So while you might not be the direct target, the impact can be felt by everyone.

Nation-state attacks in the real world

We mentioned some of these in passing earlier, but let’s dig into some of the most famous examples of nation-state cyber warfare. 

Stuxnet (2010)

We almost always assume that the attacker is going to be from one of a few countries, but this nation-state attack was launched by the US and Israel. The target was an Iranian nuclear plant due to the simmering tensions between the Iranian and US governments over the former’s atomic weapons programme. 

We recommend reading about this in more detail (it’s well-documented and very interesting) but, in summary, malicious software in the form of a worm was used to specifically target Siemens-made equipment used in the nuclear power plant. This caused an estimated 1,000 centrifuges within the plant to fail, temporarily neutralising the Iranian’s nuclear programme. 

2016 American election (2016)

In 2016 we saw Russian interference in US elections. The Russian government utilised thousands of fake social media profiles that purported to be Americans, spreading disinformation. This attack also targeted American politicians directly, hacking and stealing data from senior members of Hilary Clinton’s campaign committee and leaking this information online.

And one fresh off the press…

In February 2024, globally renowned cloud services provider Cloudflare reported unauthorised access to its internal systems by an unknown attacker.

Although we don’t know anything for certain yet, Cloudflare suspects a nation-state actor was behind the incident. The attack involved stolen credentials being used to gain access to an Atlassian server containing documentation and a limited amount of source code.

Unfortunately, these examples illustrate that the attacks will keep coming, which poses the question, what can you do to protect yourself or your business?

What should I do to protect myself?

Though few of us will be directly subjected to a nation-state attack, it’s feasible that our organisation or someone that we work with could be. 

What can we do as individuals? 

Start by practising good cyber hygiene, like using strong passwords, setting up multi-factor authentication, and being cautious of suspicious emails and links. Alongside this, it’s important to stay informed about emerging threats and best practices for preventing them.

What should businesses do?

Organisations need to implement good cybersecurity practices such as vulnerability management, incident response plans, and employee training. If you’re unsure where to begin, accreditations like Cyber Essentials can give your business a solid grounding in the fundamentals of cybersecurity. 

What should we expect from governments?

Apart from ensuring they have the best possible cyber defences in place, governments must also develop international norms and frameworks to promote responsible state behaviour in cyberspace.

The EU has taken a significant step towards this in agreeing to the European Cybersecurity Scheme on Common Criteria (EUCC). This is the first scheme of three and targets IT products such as hardware, software and components.

We can’t stop nation-state activity and, individually, we can’t significantly influence it. But, we can ensure that we are informed about these threats and influence those closest to us, be that family, friends, the leaders within organisations that we work for or the businesses we buy from.

With AI quickly imposing upon our lives and a general election later this year, security is everyone’s responsibility and we must take this seriously.

Want to know more about the threats facing small businesses? Check out our guide to how SMEs are handling cybersecurity during a cost of living crisis

SME cost of living crisis

Demystifying malware: The 5 stages of a malware attack

stages of malware attack

Malware is almost as old as the first personal computers. And like anything that’s existed for a long time, it’s easy to become complacent about it. 

However, if your business has ever fallen victim to a malware attack, you’ll know how damaging it can be. The repair costs alone can set you back thousands; then, there’s the indirect financial impact of prolonged business disruption, data loss, and reputational damage.

Yet, it’s not all doom and gloom. Armed with a little understanding, you can prepare your prepare your business and stay safe online. To help you do this, we’ve put together this short guide to help you get your head around the stages of a malware attack and how they work.

But first…

What is malware?

Malware is the umbrella term for malicious software that damages, disrupts, or gives cybercriminals access to a computer system.

Cybercriminals typically disguise malware as legitimate files, links, or attachments on a web page or email. The goal is to trick the victim into downloading the malicious program onto their device, where it can:

  • Steal corporate information or sensitive customer data
  • Delete or encrypt data
  • Disrupt business operations

In some cases, malware can exploit vulnerabilities in your cybersecurity to spread to other connected systems in your network.

The most common strains of malware are:

Considering Cyber Essentials but unsure where to start? Our guide is here to help.

There’s no getting away from malware

Malware is a pervasive threat. The AV-TEST Institute registers 450,000 new types of malware every day, contributing to the estimated 1.5 billion malicious software programs and potentially unwanted applications (PUA) in the world today. 

Cybercriminals and threat groups are responsible for billions of malware attacks every year – there were 5.5 billion in 2022 alone. Cybercrime, including malware, costs UK businesses an estimated £21 billion every year

UK businesses are on the frontlines of the malware threat. 84% of UK Chief Information Security Officers (CISOs) say UK organisations are at the highest risk of material cyberattacks, with ransomware among the most common. For example, 66% of businesses fell victim to one or more ransomware attacks in 2023, marking a 44% increase from 2020.

Meanwhile, public administration experiences more malware attacks than any other sector. Public sector bodies reported 488 separate incidents between November 2021 and October 2022.

malware by numbers

The 5 stages of a malware attack

Infected websites, email attachments, and removable media are the most common means of malware attack. But whatever the approach, they all follow a similar five-stage pattern.

Stage 1: Entry

The victim inadvertently visits a compromised website by:

  1. Visiting a trusted website that a cybercriminal has hijacked
  2. Clicking on a link (often embedded in an email) that redirects the victim to the compromised website

Cybercriminals can compromise a trusted website by exploiting vulnerabilities in its servers or content management system (CMS) or using stolen credentials to inject malicious code. When the victim visits the compromised web page, the malware automatically downloads the code onto their systems.

Stage 2: Distribution

After bypassing the victim’s cyber defences, the malware redirects to an exploit kit hosting site. Cybercriminals typically use hacked traffic distribution systems (TDS) to create multiple redirections, which help to conceal their activities and the identity of their exploit kit hosting site.

Traffic distribution systems use a combination of traffic filtering and fast-flux networks to hide the host site from search engines and security scans, making them harder to track down and blocklist.

Stage 3: Exploitation

The hosting site installs an exploit kit onto the victim’s system, which loads it with malicious files, including:

  • HTML
  • Java
  • Flash
  • PDF

These files probe the victim’s system, looking for vulnerabilities they can exploit to gain access to or control of the target computer. And the worst part? The technical barriers to entry for launching malware attacks get lower each year. Cybercriminals can create homemade exploit kits or,  if they don’t have the coding skills, they can purchase them cheaply on the dark web.

Stage 4: Infection

Having successfully infiltrated the victim’s system, the malware delivers its harmful payload. This could be anything from ransomware to trojan horses or worms that operate silently in the background.

Stage 5: Execution

Now, the malware gets to its dirty work. Depending on the cybercriminal’s goals, this could be stealing or encrypting sensitive data to ransom back to the victim, disrupting business operations, or infiltrating other connected systems.

How do malware attacks work?

Malware attack examples

Malware affects everyone. Even global brands and government organisations with robust cybersecurity tools, practices, and policies have fallen prey to malware over the years.

These examples of recent high-profile attacks illustrate the extent of the threat.

LockBit (ransomware)

One of the most active ransomware strains, LockBit has affected over 1,500 businesses at a total cost of over £72 million since emerging in 2019. The Royal Mail is among its most high-profile victims. At the start of 2023, LockBit caused severe disruption to Royal Mail’s overseas delivery service after it affected one of its back-office systems. The attack lasted two months and cost over £10 million to rectify.

Conficker (worm)

One of the largest and most notorious worms in history, Conficker has infected tens of millions of computers in over 190 countries since its discovery in 2008. Its long list of victims includes government agencies (including the UK parliament), businesses, and home computers, and remains an ongoing threat. To date, it’s caused £7 billion in damages.

Emotet (trojan horse)

First discovered in 2014, the Emotet trojan has wreaked havoc on businesses and government organisations, especially in the United States. According to the Department of Justice, the trojan has infiltrated over 1.6 million computers and caused £2.5 billion in damages.

Notorious malware attacks

Prevention is the first step to protection

It’s not always easy to spot a malware attack. Cybercriminals use sophisticated tools and techniques to conceal their activity from victims, so it could be days, weeks, or even months before you realise something’s wrong.

Preparation is the key to protecting your business, suppliers, and customers from malware. At the very least, we recommend regularly updating your systems and software, installing a network firewall, and teaching staff cybersecurity best practices.

If you want to go one step further, consider getting a cybersecurity certification. Schemes like the government-backed Cyber Essentials are quick, easy, affordable, and effective.

Want to know more about how cybersecurity certifications could help protect your business? Check out our guide to cybersecurity certifications in the UK.

Cybersecurity certifications

What is fileless malware and how can you safeguard your systems?

fileless malware

The most elusive of all malware; fileless malware is a threat you can’t afford to let slip off your radar. It accounts for 40% of global malware, according to research from Arctic Wolf Labs. And attacks increased by an eye-watering 1,400% between 2022 and 2023. 

The next time you’re assessing cybersecurity priorities, keep protecting your business from these furtive attacks front of mind. 

What is fileless malware?

Fileless malware is malicious code that’s written to your RAM or legitimate system tools rather than your disk (SSD or hard drive). Essentially, it uses your system’s software, applications, or protocols to launch an attack. Technically, it’s not actually fileless, but the name comes from where the code is stored and the fact it uses what already exists in the system. 

The hacker will use the malicious code to gain access to your systems, execute the code by piggybacking on legitimate script, and steal credentials, encrypt files etc. – whatever they’ve set out to do as part of the attack. 
Because code is stored in memory, it generally disappears when you reboot your system (unless the hacker uses more advanced tactics to make the malware stick around on restart). This makes the virus incredibly difficult to spot, meaning security teams and antivirus software may not notice or find out what caused the problem.

Want to know more about the threats facing small businesses like yours? Check out our latest report on SMEs and the cost of living crisis.

Some fileless malware techniques

Living off the land binaries (aka LoLBins)

LoLBins primarily refer to pre-installed Windows binary tools used for default system operations. PowerShell, a Windows scripting language, is an example of this. However, hackers can take advantage of them to launch attacks and avoid detection. 

Memory code injection

A memory code injection inserts malicious code into a computer’s memory. 

Fileless malware examples

Operation Cobalt Kitty

OceanLotus Group, who also go by APT32, targeted an international company based in Asia. The long-term attack compromised more than 40 computers and multiple servers. 

They used the Windows PowerShell configuration management tool as an entry point for malicious code. It manipulated network management services so it would stay on systems rather than getting deleted on start-up.  The group managed to penetrate the organisation via spear-phishing emails to senior employees that encouraged them to click on malicious links or download weaponized documents.

Fritz Frog

Fritz Frog is a fileless and serverless peer-to-peer botnet and worm that uses brute force to access secure shell (SSH) servers.  

In January 2020, the cybercriminals behind it launched an attack that lasted for eight months, affecting 24,000 SSH servers from government, education, healthcare, and private enterprises.

Once the malware had successfully compromised a server, it would replicate and spawn threads to achieve different goals, e.g. one would use brute force to access more targets while another deployed the payload. It did this so it could run a cryptocurrency miner to process and steal cryptocurrency transactions from Monero.

Code Red 

Identified as the first-ever fileless attack, Code Red spread worldwide in 2001 and affected more than 300,000 servers.

The worm exploited a Windows vulnerability and affected users of Windows NT, Windows 2000, and Microsoft IIS web server software. It caused websites using the webserver to display incorrectly.

According to a Sophos threat researcher, Microsoft released a patch to protect against the vulnerability just a month before the attack, showcasing the importance of updating software as soon as patches are available. 

How to protect your business

Fileless malware is particularly tricky to detect because it’s written into memory or trusted, legitimate code. That means standard antivirus software doesn’t always detect a problem. And, in cases where the code is written to memory and wiped on restart, there’s no trace of the malicious code to work from. 

However, there are some steps you can take to look after your cyber hygiene and give your business the best defence against malware in general, including fileless malware. 

Patch your systems

Just like Code Red, unpatched vulnerabilities in operating systems, browsers, and software are a breeding ground for cyber threats. To counter this, install patches and security updates as soon as they’re available to give your business the best protection. 

Continuous logging and monitoring 

It’s important to stay on top of any security incidents so you have a full understanding of your IT infrastructure. It’s also important to monitor your systems for any unusual activity so you can respond to potential threats quickly and limit the damage. This can be difficult to do in-house unless you’re a very big business with lots of cybersecurity experience, but there are many options for third parties to monitor your security for 24/7 protection.


To avoid threats, your people need to understand them. And the same is true for fileless malware. So, make cybersecurity training regular, bitesize, and as fun as possible. It’s not about fearmongering, it’s about arming your teams with knowledge. 

Endpoint protection

An endpoint is a device that connects to and exchanges information with a computer network. Endpoint protection includes measures such as device encryption, perimeter security on cloud storage, network access control, anti-malware, and more. 

Get Cyber Essentials certified

Cyber Essentials is a government-backed scheme with a simple framework based on five technical controls. Many of these controls include actions that overlap with our other tips in this section, so you can tick more off your to-do list in one go. 

  1. Secure configuration
  2. Malware protection
  3. Network firewalls
  4. User access controls
  5. Security update management

It’s a great starting point for businesses looking to improve their cybersecurity credentials before moving on to more complex and costly certifications like ISO 27001. And, if you’re unsure which option is best for you, start by reading our free guide to certifications in the UK.

The fight against fileless malware

Hopefully, these tips help you to feel more confident about protecting your business against fileless malware. 

However, as with all threats, fileless malware is ever-evolving. One way to ensure you stay cyber confident is to keep updated with information on new threats. Our report on SMEs and the cost of living crisis tells you everything you need to know about how small businesses are tackling cybersecurity during an economic downturn. Read it here.

SME cost of living crisis

Cyber insurance vs. cyber warranties: What’s the difference?

Cyber insurance vs. cyber warranties

Cyber insurance is one of the fastest-growing industries on the planet. Even relatively conservative estimates predict the industry will be worth close to $85 billion by 2030. However, the cyber insurance industry has had its challenges, most notably rising premiums and a growing threat landscape, leading to other products popping up alongside it.

One such product is cyber warranties. But what is a cyber warranty? And how does it differ from cyber insurance? 

What is a cyber warranty? 

We’ll keep this brief, as you can read a more detailed explanation of what a cyber warranty is here. But, in simple terms, a cyber warranty is a guarantee from a vendor that they will cover customers’ costs in the event of a breach, provided a set of criteria is met.

Typically, cyber warranties come in two forms:

1) A vendor guarantees that their product or service will remain secure against cyber threats. If a breach occurs due to a vulnerability in the vendor’s product, they must cover costs related to investigation, notification and recovery.

For customers, this provides a guarantee that the provider takes security seriously and regularly reviews and patches their software. Meanwhile, for the vendor, it acts as a way to differentiate themselves from competitors and gain customers’ trust.

2) A vendor guarantees against a set of cybersecurity controls or practices. To illustrate, let’s say a vendor decided to do this using the Cyber Essentials controls. Provided the purchaser of the warranty can prove that all five controls were in place at the time of the breach, the vendor would be required to cover the costs associated with recovering from the attack. 

This approach has the advantage of encouraging customers to be proactive in adopting security best practices, as well as offering them protection from threats.

Considering cyber insurance but unsure where to start? Download our guide to cyber insurance for everything you need to know.

How does cyber insurance differ vs. cyber warranties?

After reading this far, you may well be wondering what the difference between warranties and insurance is. After all, both shield organisations from the costs associated with a successful cyber attack. So why does the cybersecurity sector have space for both?

Despite the similarities, once you delve a little deeper, it becomes clear that cyber insurance and cyber warranties have a few key differences:

  • Cyber insurance typically offers more comprehensive protection while warranties cover a limited set of risks
  • Insurance offers the option of both first and third-party coverage (the claims of someone other than the policyholder). Warranties are limited to first-party incidents only
  • Insurance is a financially regulated product whereas warranties fall under consumer protection laws

  • Insurance policies can, in some cases, be customised with optional covers whereas warranties tend to be more standardised

  • Obtaining insurance is often subject to a detailed application process in order for the underwriter to fully assess the risk, warranties often have a far simpler process which requires agreeing to the product or service terms and conditions 

Is the best approach to use both?

Given the differences between them, is the most comprehensive approach to risk management to take out both a cyber warranty and cyber insurance?

In short, yes. But let’s dig a little further into why. 

Cyber warranties have several perfect use cases, for example: 

  • You’ve just purchased a cybersecurity tool or software and the vendor offers a warranty alongside it
  • You want to cover a limited set of cyber risks that are either tied to a specific product or set of controls
  • You’re considering cyber insurance but want some protection in the meantime. In this case, the second type of warranty mentioned above is perfectly suited

However, cyber warranties’ use cases aren’t endless. And, this is where cyber insurance steps in. For comprehensive cover, customisation and a wider range of recovery services attached, cyber insurance is the best bet. 

But that’s not to say the two don’t work well in concert. Here are just a few examples of scenarios where it’s beneficial to use both: 

  • You want to cover against a specific set of cyber risks (for example those associated with a product) but still want general protection
  • You’re using warrantied software or products but need a higher coverage limit than the warranty allows for
  • You want to use a warranty to cover you against some basic risks and insurance for the more complex ones

These are just a few examples of how warranties and insurance can work well together, we could list plenty more. In fact, it’s plausible some combination of the two could become the norm for most businesses in the next few years.

Forward-thinking insurance providers are beginning to offer bundled cyber insurance and warranty solutions tailored to SMBs. With the number of threats to small businesses only growing, it’s increasingly likely this will become the standard in cyber risk transfer as the decade progresses.

Confused about cyber insurance? Check out our guide for everything you need to know.

Cyber insurance trends 2023

How to encourage continuous security improvement in your supply chain

continuous security improvement supply chain

Managing and monitoring cybersecurity across an entire supply chain is a challenging task. This is especially true if you’re an SME. However, knowledge and prevention strategies can greatly reduce the risk of a successful supply-chain attack. And, this can be extended to the suppliers and third parties in your supply chain.

Ultimately, the best way to improve your cybersecurity is to create a cohesive, collaborative environment that helps drive continuous security improvement internally and across your supply chain. We’ll explore how to do exactly that in this blog.

Why worry about supply chain attacks?

Supply chain attacks are nothing new but, now more than ever, businesses are accelerating their efforts to prevent them. The National Cyber Security Centre (NCSC) issued new guidance following the recent rise in supply chain attacks, revealing that only one in ten businesses review the risks posed by their immediate suppliers. Similarly, 44% of organisations say they will substantially increase their year-over-year spending on supply chain cybersecurity in the coming year. 

So there’s never been a better time to work with your suppliers to identify risks and ensure appropriate security measures are in place. To help you out, here are five simple steps.

5 steps to encourage continuous security improvement for supply chains

1. Understand the basics of cybersecurity

Begin by looking at your organisation. In today’s digital world, the bare minimum of cybersecurity isn’t enough. SMEs are often limited by knowledge and budget, but luckily, there are many accessible solutions to help improve your cybersecurity credentials. Government-backed schemes like Cyber Essentials require you to meet specific cybersecurity standards. By achieving accreditation, you’ll ensure you’re covering the basics. And, with this knowledge, you’re better prepared to assess your supply chain. 

Want to know more about the risks posed by supply chains? Read our guide. 

2. Conduct a risk assessment 

Your supply chain might be extensive with many moving parts and people. Equally, it could be very small. No matter the size, take the time to conduct a thorough cybersecurity risk assessment of your supply chain. This might be asking suppliers whether they have cybersecurity accreditations, such as a Cyber Essentials certification, that help them stay secure and compliant. 

Look for specific risk factors in your supply chain. For example, payment processing software might be more susceptible to skimming attacks. Does your provider have cybersecurity measures to mitigate against this?  It’s happened to even established and seemingly secure businesses, so it could happen to your providers. 

3. Define contractual agreements

If you want to ensure everyone you work with takes cybersecurity seriously, the simplest step is to write cybersecurity requirements into your contracts with third parties and suppliers. This will allow you to define your expectations for
cybersecurity and procedures for communicating and reporting incidents – making everybody safer in the process. 

4. Encourage cybersecurity training

Certifications and contractual agreements can’t totally override human error. You already know your employees should receive cybersecurity training, but do your supply chain contacts also offer it to their employees? Consider making your partners aware of platforms to enhance employees’ cybersecurity training. While this is ultimately your suppliers’ responsibility, open communication about what’s available is beneficial and shows you prioritise cybersecurity.

5. Collaborate and share intelligence

Staying up to date with the latest cybersecurity news is a great method of staying aware of potential risks. Not all SMEs will have dedicated cybersecurity professionals to hand, so following news sources or trusted cybersecurity blogs can help you keep your knowledge up to date. 

It’s wise to share your findings with partners in your supply chain. This might be through a monthly email chain, communication channel like Microsoft Teams, or within your regular meetings. Open communication is key to improving collaboration with your supply chain and demonstrates a desire for a unified effort towards increased cybersecurity. 


The importance of supply chain cybersecurity can’t be understated in today’s landscape. Ian McCormack, Deputy Director for Government Cyber Resilience at the National Cyber Security Centre emphasises this in a recent statement;

“Supply chain attacks are a major cyber threat facing organisations and incidents can have a profound, long-lasting impact on businesses and customers. With incidents on the rise, it is vital organisations work with their suppliers to identify supply chain risks and ensure appropriate security measures are in place.”

Luckily, the road to improved and continuous supply chain security isn’t complex. By taking simple measures, such as a cybersecurity certification and collaborating closely with suppliers, your business will become more secure.

Supply chain CTA 2

What SMEs must know about supply-chain attacks

supply chain attack sme

If a thief wants to enter a house, it’s unlikely they’ll choose to ring the doorbell. They’re going to climb through a half-opened window around the back. And if they’re careful enough, the homeowner is none the wiser.

The same principle applies in the cybersecurity landscape. Supply chain attacks have existed for some time, and are an infamous method of finding cybersecurity vulnerabilities to target seemingly secure businesses. Gartner predicts that by 2025, 45% of organisations globally will experience an attack on their software supply chain. Here’s how they work and what you need to know about them.

What is a supply chain attack?

A supply chain attack is when a cyber criminal exploits a vulnerability in a supply chain. Many businesses today are cybersecurity-savvy. The best prepared will have well-intentioned cybersecurity policies and regulations in place to manage their cybersecurity and keep problems at bay. 

But most businesses don’t operate within silos. Your organisation probably relies on other businesses as part of your supply chain, or you form a part of another supply chain. This creates complexity when managing security credentials. Can you be assured that every business within your supply chain, from a payment processing provider to a manufacturer, is completely secure? 

Most organisations will manage compliance across their people, software, and processes, but this is difficult to extend to other points in the supply chain. This is the exact vulnerability criminals can exploit. 

Want to know more about the risks posed by supply chains? Check out our guide.

Examples of supply chain attacks

1. SolarWinds

No supply chain attack discussion can ignore the SolarWinds supply chain attack. SolarWinds is a major software company that specialises in network and infrastructure monitoring tools. In 2019, threat actors gained unauthorised access to SolarWind’s networks, and in the following months injected malicious code into their software, Orion. Later in 2020, SolarWinds unknowingly sent out hacked code via software updates – installing malicious code onto customer devices that could be used to spy. This infected many significant organisations, from small businesses to government bodies. 

2. Target 

Known as one of the earlier supply chain attacks, Target, a U.S. superstore retailer, was impacted in 2013. Cybercriminals exploited vulnerabilities in the retailer’s point of sale (POS) systems to retrieve 40 million customer credit and debit card information. The cost of this data breach has since cost the business nearly $300 million

3. British Airways

In 2018, British Airways was unknowingly impacted by a code that harvested customer payment data using their website payment page. The code routed credit card information to an external domain. This is known as skimming, when payment data is unknowingly collected during the online purchase checkout process. Magecart is suspected to be responsible for this skimming attack, and approximately 380,000 customers had their personal and financial data stolen. 

SMEs and supply chain attacks

Cybercriminals target large organisations due to the sheer volume of data they can exploit. But small and medium businesses are equally susceptible targets.

More than half (54%) of all U.K.-based SMEs experienced some form of cyber attack in 2022. Cybercriminals know that SMEs are more vulnerable as they might not have rigorous security credentials. Additionally, SMEs are often part of a larger supply chain, making them a great target. 

How to protect your SME from supply chain attacks

Manage your cybersecurity first

Consider your cybersecurity status first. A basic cybersecurity certification, such as Cyber Essentials, will cover everything your business should do to protect itself from cyberattacks. Being certified can reduce cyber risk by up to 98.5%, and can help you with important steps like staff training and long-term cybersecurity support. 

Check your suppliers

Request that your suppliers show evidence of cybersecurity management. A certification can be all they need to remain secure. More high-risk suppliers should have equally risk-resilient cybersecurity measures in place. If they don’t, this should raise your alarm bells.

You should collaborate with every business in your supply chain, and the supply chains you are within, to emphasise the importance of cybersecurity credentials. You can even make cybersecurity part of your contractual agreements, so there’s less chance of a vulnerability in your supply chain.

Implement an early warning system

A supply chain early warning system (EWS) can identify security threats in a supply chain using data. It analyses data and notifies the system administrator to suggest methods of mitigating the threat. An EWS reduces your reliance on human knowledge alone, and instead can autonomously detect threats. As types of attacks become increasingly more complex, this is a great method of covering all bases if it’s an attack you might not have encountered before. 

A supply chain attack could happen to you

But it doesn’t have to be that way. By ensuring your organisation is as secure as possible, and obligating your suppliers to do the same, you’re more likely to deter and mitigate the risk of a supply chain attack against your SME. This way, your business’s figurative back windows are firmly locked, so no burglars can get in – through the front door or the back.

Supply chain CTA 2

5 steps to better supply chain security

Supply chain

It’s not an exaggeration to say that supply chains pose one of the greatest cybersecurity risks to any business. In recent years, there’s been a huge increase in attacks stemming from supply-chain vulnerabilities. According to IBM’s 2023 X-Force Threat Intelligence Index, more than half of security breaches are attributed to supply chain and third-party suppliers, at a high average cost of over $4 million. 

It’s a serious problem. And, like most small businesses, you’re probably asking what you can do about it. After all, looking after your own cybersecurity is tricky enough; how on earth do you start addressing gaps in your suppliers’ defences? 

To help you get started, we’ve put together 5 supply chain security best practices to strengthen your digital defences.

Supply chain

1. Protect your own business first 

This almost goes without saying, but before you delve into your supply chain, it’s worth considering your own cybersecurity status first. Is your business Cyber Essentials certified? Do you have security controls in place? Do you provide regular training for staff on cyber threats and best practices?

If you’ve answered no to any of the above, then these are great first steps in securing your business. And there’s a bonus to taking these measures first. By reviewing your own security, you’ll get a good idea of your business’s crown jewels – those critical aspects of your organisation that need the strongest protection.

2. Talk to your suppliers 

Progress begins with dialogue. So talk to your suppliers and partners about their cybersecurity. You may find that your business faces many of the same difficulties and threats. 

This can help you work together to ensure everyone in your supply chain works to the same security standards. And keeping dialogue open makes it much more likely that suppliers and partners will let you know faster if something goes wrong – protecting your business in the long run.

3. Make cybersecurity part of your contractual agreements 

Behavioural change often requires incentives. Once you’ve established what good cybersecurity looks like for your business, apply those principles to your partner and supplier contracts. 

How these agreements look will depend on your organisation. Requiring your partners to have a complete Cyber Essentials certification will be enough for some businesses. Others may need something more comprehensive, like ISO 27001 certification

The important thing is that you make good cyber hygiene an expectation (rather than a nice to have) for anyone working with your business. By doing so, you not only incentivise good cybersecurity behaviours across your supply chain but also protect your business. 

4. Keep improving

Building a strong cybersecurity culture across your network takes time. It requires trust between businesses, and you can’t build that overnight. So persevere if your supply chain doesn’t immediately transform from leaky to locked down.

 Cybersecurity is all about learning. As cyber threats evolve, so too do the methods for thwarting them. Stay updated with new threats and tweak and adapt your practices accordingly. You can then use this knowledge to update partners and suppliers and strengthen your supply chain.

5. Follow the NCSC’s new guidance 

Finally, if you’re looking for a framework to tie everything together, you could do a lot worse than the National Cyber Security Centre’s (NCSC) supply chain cybersecurity guidance.

The NCSC’s guidance breaks tackling supply chain security down into five basic steps ( in case you were wondering where we got the idea from):

  1. Understand why your organisation should care about supply chain cybersecurity
  2. Develop an approach to assess supply chain cybersecurity
  3. Apply the approach to new supplier relationships
  4. Integrate the approach into existing supplier contracts
  5. Continuously improve

It’s a great place to start if you’re serious about tackling cybersecurity across your supply chain.

It’s a journey, not a destination

And remember, securing your supply chain is an ongoing process, but starting now is one of the biggest single investments you can make in protecting your business. Want to know more? Check out our new guide to protecting your business.

Supply chain CTA 2

What is a supply chain early warning system and how does it improve your cybersecurity?

supply chain early warning

89% of businesses have experienced a supply chain risk event in the past five years. Discover how a supply chain early warning system can help you reduce risk and stay one step ahead.

What is a supply chain early warning system?

A supply chain early warning system (EWS) identifies potential security threats in your supply chain, based on a combination of internal and external data. After analysing the data, the system notifies decision-makers and suggests measures to mitigate the threat or minimise the impact. Together with your cybersecurity tools, processes, and policies, it helps to protect your business against third-party threats.

In the past, supply chain early warning systems focussed on far-reaching external factors that could disrupt business operations. For example, natural disasters, critical component shortages, or industrial action. But, due to the growing threat of supply chain attacks, today’s systems play a crucial role in protecting businesses against cybercriminals.

Supply chain attacks increased by 633% in 2022.

– Sonatype, Stats of the Software Supply Chain

5 supply chain cybersecurity risks an early warning system detects

Supply chain attacks surpassed traditional malware-based exploits by more than 40% in 2022, according to the Identity Theft Resource Center’s annual Data Breach Report. In the past twelve months, supply chain attacks impacted over 10 million people representing 1,734 entities.

What makes them so difficult to detect, let alone stop, is the diverse array of delivery methods. Of the numerous supply chain risks to be aware of, these are among the most common.

Worried about the threat posed by supply chain attacks? Read our guide to protecting your business.

1. Watering hole attacks

The hacker inserts malicious software into a website that receives a lot of traffic from the target business or businesses. When someone visits the compromised site, the malware infiltrates the visitor’s defences to gain access to their systems or data. Watering hole attacks are difficult to detect and boast a higher-than-average success rate.

2. Compromised software development tools

The hacker compromises a supplier’s software development tools, infrastructure, or processes. This leaves any resulting applications built from them vulnerable to zero-day security exploits, putting end-users at risk.

3. Compromised website builders

The hacker compromises a supplier’s website via its website builder. Typically, the hacker installs malicious software or a redirect script into the target site, which sends users to a malicious clone of the website when they visit the URL.

4. Stolen product certificates

The hacker steals an official product certificate, which enables them to distribute malicious software and applications under the guise of legitimate products. 

5. Third-party data store breaches

The hacker infiltrates a third-party data centre, for example, via a botnet. Once inside, they can steal sensitive business or customer information which they can then:

  • Sell for profit on the dark web
  • Ransom back to the victim
  • Release to the public
  • Delete or corrupt

How do early warning systems protect you against supply chain threats?

Detect and respond to network vulnerabilities

Most businesses only realise a hacker has compromised their network when they spot suspicious activity. For example, when a network client scans the internet. But at this point, the damage may already be done. An early warning system proactively monitors your network for vulnerabilities and malware, giving you time to repair any breaches before hackers can exploit them.  

Identify and assess cyber risks

An effective supply chain early warning system raises your awareness of external cybersecurity threats that may impact your business. When your system identifies a potentially harmful event or attacker, it notifies relevant stakeholders. This helps you:

  • Quickly spot and assess risks
  • Proactively monitor emerging threats or incidents
  • Prepare your defences to minimise or mitigate the impact on your business

Raise stakeholder awareness

By keeping stakeholders informed of current and emerging threats, early warning systems help to raise awareness of your supply chain risks. Over time, you’ll understand what to look out for and where to invest your cybersecurity budget to protect against online threats. 

Forewarned is forearmed

A supply chain early warning system adds another layer of defence to your cybersecurity. It gives you a clear view of your risk landscape, so you can detect and respond to online threats more effectively.

However, you don’t necessarily need a specialist tool to dramatically improve your supply chain security. Cyber Essentials certification can help you get the basics in place. Meanwhile, a generalist security tool like CyberSmart Active Protect can give you early warning of vulnerabilities within your own organisation, mitigating many of the risks your business faces. Likewise, following the NCSC’s guidance on mapping your supply chain can also help better protect your organisation.

You can’t always control the security of your suppliers or partners, but by getting the fundamentals down, you can minimise your risk.

Supply chain CTA 3