Skip Navigation

January 11, 2023 |

Malware vs. ransomware vs. APTs: what's the difference?

By Ben Filipkowski

With contributions from Katie Yahnke and Eric McDonald.

Between malware, ransomware, and advanced persistent threats (APTs), the cyber threat landscape can be intimidating. All three pose a significant risk for businesses everywhere. Defending against these threats is vital, but to do so effectively, you need to know what you’re dealing with.

Ransomware alone is incredibly common—a report from Verizon shows that ransomware was installed in nearly 70% of breaches in 2022. Yet confusion remains on who these attacks target, the full extent of ransomware’s impacts, and how it relates to malware and APTs. With all these threats making waves with greater frequency, understanding the ins and outs of each one is critical when it comes to effectively defending against them.

In this blog, you’ll learn about the key differences between malware, ransomware, and APTs, how they target businesses, and steps you can take to stay aware and ahead of these cyber threats.

What is malware and how it works

The term malware is short for malicious software, and like the name suggests, refers to any software designed to damage, disrupt, or provide unauthorized access to IT networks. Malware encompasses a wide variety of software types—including ransomware—and the exact one an attacker uses will depend on their goals.

In fact, much of the software used in an APT is malware, too. Because ransomware and APTs are urgent threats in their own right, they’re often defined independent of malware; you can read more about them further along in this post.

Other common types of malware include:

Trojan horses

Trojan horse malware disguises itself as legitimate software, relying on this disguise and other common social engineering tactics to get users to deploy it. Trojan horses are a common first attack layer for threat actors, as they can help them take further action to advance through a network or establish a connection to a server for future attacks. These malware strains are often used as delivery methods for other hostile programs, such as spyware or ransomware.


Rootkits are designed to give attackers unauthorized access to and control over victim computer systems while masking the activity that this access creates. As the name suggests, rootkits are often a collection or kit of software tools that work together to compromise a system, in some cases employing keyloggers to covertly record passwords or other information.

Viruses and worms

Computer viruses and worms are widely known malware delivery methods, infecting other systems connected via a network. These malware types typically perform harmful actions, such as destroying files. Worms pose additional challenges, as they are often designed to self-replicate throughout connected systems, making them particularly difficult to isolate and delete. Each moment a virus or worm is left unaddressed increases the amount of damage it can do.


Adware is designed to flood user interfaces with obtrusive advertisements, generating revenue for an attacker based either on the number of ads displayed or the number of clicks received. Some adware will create browser windows that run macros to click on ads whenever an infected machine is in use, while others will deploy tools to mine cryptocurrency. Regardless of the exact type, adware puts serious strains on infected systems. In addition, these ads may be malicious themselves, leading to further cyber attacks. Note that adware is distinct from legitimate advertising-supported software that relies on specific ad placements to generate additional revenue for the developers.


Spyware is a form of malware that quietly observes and gathers information about victims. These malware strains are often installed via a Trojan horse or passively downloaded onto a victim’s machine after they click a malicious link or visit a malicious site. Once deployed, spyware uses the information it collects to help attackers commit fraud, intercept communications, steal confidential financial data, or blackmail users and organizations.

How malware impacts businesses

The impact of malware on businesses, their employees, and customers can be severe. Broadly speaking, malware is usually used to steal data, though some varieties attempt to give attackers user- or admin-level access to a system. Other malware, meanwhile, works to frustrate and disrupt normal activities.

The damage caused by a malware infection takes time to remediate. Repairing or replacing affected IT systems is costly, quickly adding to the overall impact of an infection. Add to this the issues of lost profit and productivity, and it’s clear that malware is a threat businesses cannot ignore. Malware may compromise sensitive and confidential data, exposing impacted organizations to a wide range of risks and consequences.

Compromised data—particularly personally identifiable information (PII) and financial records—gives attackers tremendously valuable information that can be used to stage further attacks, allowing them to victimize more targets. This information could be used to develop highly targeted social engineering campaigns instigate business email compromise, identity theft, financial redirection, and fraud.

Each of these attacks introduces tremendous risk of a further supply chain attack. The wealth of information available to a successful attacker gives them what they need to cause severe harm by targeting suppliers and customers alike. In turn, this exposes the original target to significant legal risks, like class-action lawsuits. Rebuilding a reputation damaged by a malware incident—let alone any sort of cyber incident—is an uphill struggle for any business.

Yet these more “traditional” forms of malware have been eclipsed by a new variant almost entirely focused on financial extortion: ransomware.

What is ransomware and how it works

Ransomware takes what’s challenging about general malware—damaged IT systems, stolen data, and downtime—and refocuses it in service of a single, devastating goal: financial extortion. Ransomware is a form of a malware, and like the name suggests, it is designed to lock up data on a victim’s computer, offering to restore user access in exchange for a substantial payment. Ransomware attacks often feature some time-sensitive element to add further pressure to the extortion attempt, such as a threat to publicly expose information or delete intellectual property.

Ransomware’s focus is largely financial, and because ransomware toolkitscan be found and used by anyone, regardless of technical ability, the barrier to entry is low for cyber attackers—a major factor contributing to ransomware’s status as one of the most common cyber threats out there today. There are even digital marketplaces that offer Ransomware-as-a-Service (RaaS). Put simply, anyone with an internet connection looking to make a dollar can stage a ransomware attack with incredible ease.

A typical ransomware attack may look something like this:

  • A cyber attacker acquires a ransomware toolkit, which may include automation that allows them to target hundreds of potential victims at once.
  • The attacker creates a phishing message, usually an email, containing a malicious link or file that deploys a strain of ransomware when clicked.
  • As the ransomware strain infects the system, locking or restricting access to critical files, the user receives a message telling them that they no longer have access to their computer or network unless they pay the ransom.

For attackers using RaaS, though, it’s much simpler: they just select the attack they want, click “buy now,” and pay the provider.

Unfortunately, paying a ransom is no guarantee that you’ll regain control of your systems. Attackers might just take the money and run, making recovery even harder. Your business is left managing a serious data breach and the resulting fallout.

What’s more, it’s become increasingly common for ransomware threat actors to leave ticking time bombs behind in victim systems, creating backdoors that give them a way to re-target and re-encrypt even years after the fact. The effects of an attack can be devastating, which is why it’s so important to take preventative measures.

What are advanced persistent threats (APTs)?

An advanced persistent threat (APT) itself isn’t a specific type of software, but instead is defined as a highly sophisticated threat actor with the resources and knowledge needed to stage a long-term attack campaign and remain undetected for extended periods of time. APTs may use a wide variety of techniques to attack their targets, including malware and ransomware strains.

Because of this, APT protection is frequently discussed alongside anti-malware and anti-ransomware strategies. Yet while APTs are just as serious as malware and ransomware, they’re not quite in the same category.

These attackers get their name because they fit three criteria:

  • They have advanced intelligence-gathering capabilities and techniques and can develop their own tools and methods to further their attacks.
  • They pursue specific objectives and take time to carefully target victims, in contrast to the opportunistic approach taken by most other attackers.
  • They are highly skilled, well-funded, and extremely coordinated.

The funding and resources required for these advanced attacks mean that most APTs are state-sponsored or are nation-state threat actors themselves, supported directly or indirectly by world governments. This also means that APTs typically have political or economic goals—but that doesn’t mean that they exclusively target the public sector.

The most common APT targets

Far from a singular focus on the public sector, APTs will attack any business that helps them advance their goals.

The most common targets for advanced persistent threats include:

  • Financial institutions
  • Energy providers and infrastructure
  • Health care services and providers
  • Telecommunications providers and infrastructure
  • Agriculture
  • Manufacturing
  • Higher education

Defending against APTs takes deep security expertise and knowledge, correlating activity in one part of a network to activity on an endpoint or in a cloud service.

Protect yourself from malware, ransomware, and APTs

As previously mentioned, protecting yourself from these threats is a monumental task for most businesses. No matter the size of your business, a single attack from any of these threats, no matter how minor, can have devastating consequences.

Every business should have some form of cyber security in place, but that’s a big challenge—which is part of the reason why we created Covalence.

Covalence is Field Effect’s hybrid cyber security solution. Whether you’re a business owner or an MSP, Covalence gives you access to a complete managed detection and response (MDR) solution that works to spot and stop malware, ransomware, and APT attacks before they can have an impact.

Interested in learning more? Reach out to one of our experts today to learn how Covalence can help you.