Election Security Spotlight – Malware

What it is

Malware is malicious software or software designed to perform malicious actions on a device. It can be introduced to a system in various forms, such as emails or malicious websites. Additionally, various kinds of malware have distinct capabilities dependent on their intended purpose, such as disclosing confidential information, altering data in a system, providing remote access to a system, issuing commands to a system, or destroying files or systems. The most prolific types of malware currently include:

  • Spyware is malware that records keystrokes, listens in via computer microphones, accesses webcams, or takes screenshots and sends the information to a malicious actor. This type may give actors access to usernames, passwords, any other sensitive information entered using the keyboard or visible on the monitor, and potentially information viewable through the webcam. Keyloggers, which mainly record keystrokes, are the most common type of spyware and ZeuS, the most famous keylogger, has been on the ISAC’s Top 10 Malware list for several years.
  • Trojans (a.k.a. Trojan Horses) are malware that appears to be a legitimate application or software that can be installed. Trojans can provide a backdoor to an attacker and subsequently full access to the device, allowing the attacker to steal banking and sensitive information, or download additional malware, like Emotet.
  • Ransomware is malware that that blocks access to a system, device, or file until a ransom is paid. Malicious actors use ransomware to either encrypt files (crypto ransomware), erase files (wiper ransomware), or lock systems (locker ransomware) on an infected system or device. Ransomware holds infected systems or files hostage until the victim pays the ransom demand. However, paying the ransom does not guarantee that access to the files will be restored.
  • Click Fraud is malware that generates fake automatic clicks to ad-laden websites. These ads create revenue when clicked on. The more clicks, the more revenue that is generated. Kovter, one of the more prolific versions of click fraud, has been on the ISAC’s Top 10 Malware list for the past year.
  • Cryptocurrency mining malware (a.k.a. cryptojacking) is malware that primarily utilizes a compromised system’s resources in order to generate cryptocurrency revenue such as Bitcoin, Litecoin, Ether, or Monero. Cryptocurrency mining malware, like Coinminer, have increased in use over the past year to become one of the more prolific malware variants.

Why does it matter

Election systems and networks running vulnerable services are likely to be impacted by malware, as it is among the most common malicious activity observed. Malware infections can affect the confidentiality, integrity and availability (CIA) of the data in election systems and networks. Certain types of malware, such as spyware, click fraud, and cryptocurrency miners continually run in the background and are likely to drain system resources and slow down all affected systems, reducing the lifespan of systems. Furthermore, spyware, trojans, and ransomware have the ability to exfiltrate sensitive data such as user credentials or voter information. Ransomware may also block access to the infected system rendering it useless until it is remediated or the ransom is paid and the applicable decryption keys provided.

In addition to direct impacts, IP addresses or email addresses associated with an infected system may be placed on a blacklist if the malware is trying to connect to other systems. Blacklists are reputation-based lists that cybersecurity professionals use to prevent connectivity with malicious IP and email addresses. Being on a blacklist means that electronic traffic, including emails from and legitimate traffic to and from an election office may be blocked.

What you can do

Election officials should ensure their organization routinely patches all systems and maintains up-to-date anti-malware protection, like antivirus and firewalls, as these will mitigate most malware. Additionally, officials should work with their technical staff to ensure their organization maintains up-to-date data backups, which are stored offline, regularly tested for completeness, and provide the ability to reinstall in the event of an infection.

Officials should consult with their technical staff to receive periodic briefs on the types of malware discovered on the network and their associated impacts. Election officials can then work to make sure their Business Continuity Plans (BCP) cover potential malware scenarios and to conduct various table top exercises for those situations. Furthermore, review the ISAC’s monthly Top 10 Malware blog for up-to-date information on malware trends to incorporate into the BCP and table top exercises.

Lastly, election offices should prioritize training to help employees recognize malicious emails, as they are one of the most popular vectors of spreading malware. Training should emphasize that employees not open suspicious emails, click links contained in such emails, post sensitive information online, and never provide usernames, passwords, or personal information to any unsolicited request. After training employees, conduct organized phishing exercises to test and reinforce the concepts using services such as those provided by CIS or through DHS’s Phishing Campaign Assessment.



The EI-ISAC Cybersecurity Spotlight is a practical explanation of a common cybersecurity concept, event, or practice and its application to Elections Infrastructure security. It is intended to provide EI-ISAC members with a working understanding of common technical topics in the cybersecurity industry. If you would like to request a specific term or practice that may be of interest to the elections community, please contact [email protected].