You’re likely familiar with the names of common malware strains such as MOUSEISLAND, Agent Tesla and TrickBot. But do you know how new malware threats get their names?

As a cybersecurity writer, I quickly add new strains to my vocabulary. But I never knew how they came to have those names in the first place. After writing numerous articles on malware, I decided to dig deep into the naming conventions to shed some light on that question. As it turns out, a name can tell you a lot about the malware itself — but it can also sow some confusion.

Threat Group Names

First, let’s talk about the difference between group names and malware strain names since they often intertwine and sometimes impact each other. With a one-hit-wonder group or a group with no known name, occasionally, the malware shares the group name. However, in most cases, there is a unique name for both the group and the malware.

You can often learn a lot about a group from its name. Group names often reference the nation-state associated with the group, such as Bear for Russia and Panda for China. The name often reflects the group’s motivation as well. “Spider” in the name means that money motivates a group, and “Jackals” refer to hacktivists.

A Few Common Naming Conventions

Now let’s get back to the question of how malware strains themselves are named. The short answer is that strains are named in several different ways. Of course, there are always outliers that get their names in a totally different way, so these are just common examples.

Typically if a cyber criminal doesn’t name their strain themselves, a cybersecurity researcher creates the name. The primary researcher of the strain or attack will usually come up with the name, and they sometimes assign one that seems random — but there is usually a pattern or at least some loose methodology.

And yes, that has led to many issues — especially misidentification and misnaming. Without an industry-wide database that lists the official names of all strains, some strains even end up with multiple names. Because many strains turn into families, researchers and the media must use consistent naming conventions. Otherwise, these labels can cause confusion when experts most need clarity.

6 Common Ways Malware Strains Get Their Names

1. Target of the Attack

Sometimes the simplest (and most notable) thing about a strain is what the attack is trying to disrupt. For example, the Olympic Destroyer malware got its name because it was trying to shut down the Winter Olympics systems in South Korea in 2018.

2. Computer Antivirus Research Organization (CARO) Conventions

Sometimes malware strains have both a formal name and a nickname, just like people. In many cases, we never know or use the name researchers use formally — or the one their mom uses when they’re in trouble. The CARO creates the name based on the strain’s type, platform, family, variant and suffix. Companies such as Microsoft and CrowdStrike often stick to formal names.

3. Unique Aspects of the Attack

When researchers were studying the HeartBeat malware strain, they noticed an echoing sound that mimicked a heartbeat, which coined its name. Meltdown got its name because of what the attack did: break the isolation between applications and the operating system, which opens up the network to attacks leading to a meltdown.

4. Variant of the Threat

Malware often has many strains. And since each strain can vary in significant ways, we need to be able to differentiate between them. This is when the suffix of the CARO name comes into play. The suffix also suggests how the variant is used.

5. Cyber Criminals

Sometimes the threat actors themselves name the strain when they take credit for the malware. Other times, the name is integrated into the attack, such as in the case of WannaCry. Some groups actually create logos for their strains for marketing purposes.

6. Functionality

The action of the malware is sometimes the reason behind the name, such as Banker or Downloader. In some cases, that functionality combines with another descriptive word to distinguish it from other strains.

Malware naming conventions can be confusing. But by understanding a bit about common origins, you get a head start on knowing about the strain from the first time you hear the name.

More from Risk Management

The Role of Human Resources in Cybersecurity

The human resources (HR) department is an integral part of an organization. They work with all departments with a wider reach than even IT. As a highly visible department, HR can support and improve an organization’s security posture through employee training. Their access to employees at the start of employment is an opportunity to lay a foundation for a culture of risk awareness. HR departments do not typically include cybersecurity risk awareness training with new hire onboarding, but it’s something…

New Attack Targets Online Customer Service Channels

An unknown attacker group is targeting customer service agents at gambling and gaming companies with a new malware effort. Known as IceBreaker, the code is capable of stealing passwords and cookies, exfiltrating files, taking screenshots and running custom VBS scripts. While these are fairly standard functions, what sets IceBreaker apart is its infection vector. Malicious actors are leveraging the helpful nature of customer service agents to deliver their payload and drive the infection process. Here’s a look at how IceBreaker…

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them. ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge. Understanding Attack Surface Management Here…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor…