G 0.39 — Malware · Cenedril Wiki

A mid-sized manufacturing company receives an email on Monday morning that looks like a supplier invoice. An employee in accounting opens the attachment. Within four hours, ransomware encrypts all file servers and the production control system. Production stands still for three weeks — the total damage exceeds two million euros.

Malware ranks among the most common and most destructive threats to information security. The BSI lists it as elementary threat G 0.39 — and the federal office registers over 250,000 new malware variants every day.

What’s behind it?

Malware is software developed with the aim of performing unwanted and harmful actions on a target system. The spectrum ranges from data theft through extortion to the complete destruction of IT infrastructure.

Modern malware is built modularly. A single piece of malware can harvest passwords, disable security software, encrypt files, remotely control systems and spread autonomously across the network. Development has professionalised: ransomware-as-a-service enables even technically unsophisticated attackers to carry out complex attacks.

Distribution paths

Email attachments and links — the most common entry point. Office documents with macros, password-protected ZIP archives and links to fake login pages.
Compromised websites — drive-by downloads exploit vulnerabilities in the browser or plugins without the user actively downloading anything.
Removable media — USB sticks “found” in the company car park (a real attack vector, known as USB dropping).
Supply chain attacks — malware is injected through compromised software updates or libraries. The SolarWinds attack in 2020 demonstrated that even signed updates can be manipulated.
Lateral movement in the network — once inside, worms exploit unpatched vulnerabilities or stolen credentials to spread to other systems.

Impact

The immediate damage includes loss or corruption of data. Ransomware renders entire datasets unusable. Info-stealers forward credentials, trade secrets or personal data to attackers. On top of this come business interruptions, recovery costs, regulatory consequences and reputational damage.

Practical examples

Ransomware via VPN vulnerability. A hospital runs a VPN gateway for which a critical patch has been pending for months. Attackers systematically scan for exactly this vulnerability, break in and encrypt the clinical systems. The emergency department has to close temporarily, patients are transferred. The available patch would have prevented the entire incident.

Info-stealer via chat message. An attacker poses as an external IT service provider in the company chat and asks an employee to install a remote support tool. The tool is an info-stealer that grabs browser passwords, session cookies and VPN configurations. Within minutes, the attacker has access to the internal network.

USB dropping in the company car park. In the employee car park, prepared USB sticks with the company logo are scattered. Three employees plug the stick into their workstation. The malware it contains establishes a remote control connection (C2) to the attacker. Only after weeks does unusual outgoing network traffic attract attention.

Relevant controls

The following ISO 27001 controls mitigate this threat. (You’ll find the complete list of 23 mapped controls below in the section “ISO 27001 Controls Covering This Threat”.)

Prevention:

A.8.7 — Protection against malware: Endpoint protection solution with automatic updates on all endpoints.
A.8.8 — Management of technical vulnerabilities: Systematic patching closes the entry points that malware exploits.
A.8.23 — Web filtering: Blocking of known C2 servers and malicious domains.
A.6.3 — Information security awareness, education and training: Training on phishing and social engineering reduces the success rate of initial access.
A.8.19 — Installation of software on operational systems: Restrictive policies prevent users from installing software on their own.

Detection:

A.8.15 — Logging: Centralised logging detects unusual processes, network connections and file changes.
A.8.16 — Monitoring activities: Active monitoring (SIEM, EDR) correlates events and triggers alerts.

Response:

A.5.24 — Information security incident management planning and preparation: Documented incident response plan with escalation paths and communication templates.
A.5.25 — Assessment and decision on information security events: Structured triage to distinguish real incidents from false alarms.
A.8.13 — Information backup: Regular, isolated backups enable recovery after ransomware.

BSI IT-Grundschutz

The BSI IT-Grundschutz catalogue links G 0.39 with the following modules:

OPS.1.1.4 (Protection against malware) — the central module: requirements for an anti-malware concept, scanner configuration, updates and organisational measures.
SYS.2.1 (General client) — hardening and securing of workstation computers.
NET.1.1 (Network architecture and design) — segmentation limits the lateral spread of malware.
DER.2.1 (Handling security incidents) — processes for detection, containment and recovery.

Sources

BSI: The State of IT Security in Germany — annual report with current malware statistics
BSI IT-Grundschutz: Elementary Threats, G 0.39 — original description of the elementary threat
ISO/IEC 27002:2022 Section 8.7 — implementation guidance on protection against malware

ISO 27001 Controls Covering This Threat

A.5.14 Information transfer A.5.15 Access control A.5.24 Information security incident management planning and preparation A.5.25 Assessment and decision on information security events A.5.29 Information security during disruption A.5.34 Privacy and protection of PII A.7.7 Clear desk and clear screen A.7.9 Security of assets off-premises A.7.10 Storage media A.7.13 Equipment maintenance A.8.1 User endpoint devices A.8.7 Protection against malware A.8.12 Data leakage prevention A.8.13 Information backup A.8.14 Redundancy of information processing facilities A.8.15 Logging A.8.16 Monitoring activities A.8.19 Installation of software on operational systems A.8.20 Networks security A.8.21 Security of network services A.8.23 Web filtering A.8.31 Separation of development, test and production environments A.8.32 Change management

Frequently asked questions

What is the difference between a virus, a worm and a Trojan?

A virus attaches itself to an existing file and needs a host to spread. A worm propagates autonomously across networks. A Trojan disguises itself as useful software while performing malicious actions in the background. In practice, modern malware is often a hybrid that combines several techniques.

Is antivirus software alone enough to protect against malware?

Signature-based scanners reliably detect known malware but reach their limits with new variants (zero-day). Effective protection combines endpoint protection with network segmentation, regular updates, awareness training and a well-designed permissions model.

How do I recognise a ransomware infection?

Typical signs: files suddenly encrypted with unknown extensions, ransom demands on the screen, unusually high CPU and disk activity. A prepared incident response plan is essential so the response doesn't have to be improvised in the heat of the moment.