February 10, 2023 By Jennifer Gregory 3 min read

You’re likely familiar with the names of common malware strains such as MOUSEISLAND, Agent Tesla and TrickBot. But do you know how new malware threats get their names?

As a cybersecurity writer, I quickly add new strains to my vocabulary. But I never knew how they came to have those names in the first place. After writing numerous articles on malware, I decided to dig deep into the naming conventions to shed some light on that question. As it turns out, a name can tell you a lot about the malware itself — but it can also sow some confusion.

Threat group names

First, let’s talk about the difference between group names and malware strain names since they often intertwine and sometimes impact each other. With a one-hit-wonder group or a group with no known name, occasionally, the malware shares the group name. However, in most cases, there is a unique name for both the group and the malware.

You can often learn a lot about a group from its name. Group names often reference the nation-state associated with the group, such as Bear for Russia and Panda for China. The name often reflects the group’s motivation as well. “Spider” in the name means that money motivates a group, and “Jackals” refer to hacktivists.

A few common naming conventions

Now let’s get back to the question of how malware strains themselves are named. The short answer is that strains are named in several different ways. Of course, there are always outliers that get their names in a totally different way, so these are just common examples.

Typically if a cyber criminal doesn’t name their strain themselves, a cybersecurity researcher creates the name. The primary researcher of the strain or attack will usually come up with the name, and they sometimes assign one that seems random — but there is usually a pattern or at least some loose methodology.

And yes, that has led to many issues — especially misidentification and misnaming. Without an industry-wide database that lists the official names of all strains, some strains even end up with multiple names. Because many strains turn into families, researchers and the media must use consistent naming conventions. Otherwise, these labels can cause confusion when experts most need clarity.

6 common ways malware strains get their names

1. Target of the attack

Sometimes the simplest (and most notable) thing about a strain is what the attack is trying to disrupt. For example, the Olympic Destroyer malware got its name because it was trying to shut down the Winter Olympics systems in South Korea in 2018.

2. Computer Antivirus Research Organization (CARO) conventions

Sometimes malware strains have both a formal name and a nickname, just like people. In many cases, we never know or use the name researchers use formally — or the one their mom uses when they’re in trouble. The CARO creates the name based on the strain’s type, platform, family, variant and suffix. Companies such as Microsoft and CrowdStrike often stick to formal names.

3. Unique aspects of the attack

When researchers were studying the HeartBeat malware strain, they noticed an echoing sound that mimicked a heartbeat, which coined its name. Meltdown got its name because of what the attack did: break the isolation between applications and the operating system, which opens up the network to attacks leading to a meltdown.

4. Variant of the threat

Malware often has many strains. And since each strain can vary in significant ways, we need to be able to differentiate between them. This is when the suffix of the CARO name comes into play. The suffix also suggests how the variant is used.

5. Cyber criminals

Sometimes the threat actors themselves name the strain when they take credit for the malware. Other times, the name is integrated into the attack, such as in the case of WannaCry. Some groups actually create logos for their strains for marketing purposes.

6. Functionality

The action of the malware is sometimes the reason behind the name, such as Banker or Downloader. In some cases, that functionality combines with another descriptive word to distinguish it from other strains.

Malware naming conventions can be confusing. But by understanding a bit about common origins, you get a head start on knowing about the strain from the first time you hear the name.

More from Risk Management

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today