Somewhere inside every security team, there's a moment that defines how the rest of the day goes. Maybe an analyst sees a flagged email attachment or an endpoint agent quarantines a file it doesn't recognize. Whatever the trigger, the question is always the same: is this real, or is this noise?
Most of the time, it's noise. But when it isn't, the window between "suspicious" and "catastrophic" shrinks fast.
In February 2024, attackers from the ALPHV/BlackCat ransomware group gained access to Change Healthcare, the company that processes roughly half of all medical claims in the United States. Their entry point was a remote access server with compromised credentials and no multi-factor authentication. For nine days, they moved laterally through the network without triggering a response, exfiltrating an estimated six terabytes of data: medical records, Social Security numbers, and billing details for nearly 193 million people. When they finally deployed ransomware, claims processing stopped for thousands of hospitals and pharmacies. 94% of hospitals reported financial impact. UnitedHealth Group ultimately disclosed costs exceeding $2.87 billion.
Nine days. That's how long the attackers had before anyone knew they were there.
The Change Healthcare breach is an extreme example, but the pattern it follows is not. Malware moves faster than triage by evading static defenses and escalating from initial access to full compromise before most teams can react. And the traditional model of "detect and respond" assumes you have time that, increasingly, you don't.
This guide is about closing that gap. Effective malware protection in 2026 requires a continuous cycle of discovering threats, validating whether they're real, and disrupting them before they cause harm. We'll break down each stage of that cycle: practical approaches to malware detection, the role of malware analysis and sandboxing in validation, and the response workflows that close the loop.
The cost of launching a malware campaign has dropped significantly in even the last two years, while the difficulty of catching one has gone up.
Generative AI has transformed the economics of malware delivery. Phishing emails that once contained telltale grammar mistakes and generic lures are now polished, personalized, and produced at scale.
As Nico Flores, Product Marketing Manager at ZeroFox, explains, "AI has gotten more sophisticated. There's less room for error now. It used to be that spelling mistakes were key indicators for phishing attempts. Today, there won’t be, because of advances in natural language processing. Threat actors can now do sophisticated, very large attacks."
At the same time, malware itself is evolving. Commodity malware kits have lowered the barrier to entry, enabling less-skilled actors to launch attacks that were once the domain of advanced groups. Ransomware-as-a-service (RaaS) models mean that the person deploying the malware and the person who built it are often different entities entirely. Even after law enforcement takedowns, threat actors regroup quickly; The ZeroFox Intelligence team recently tracked a new DanaBot malware variant that emerged shortly after the original operation was disrupted. Meanwhile, the ZeroFox Q4 2025 Ransomware Wrap-Up documented at least 2,091 separate ransomware and digital extortion incidents in Q4 2025 alone, a 46% increase from Q3 and a new single-quarter record.
Throughout 2025, ZeroFox observed higher attack volumes every quarter compared to previous years, reflecting a longer-term upward trajectory that shows no signs of leveling off. North America-based organizations bore the brunt, accounting for approximately 59% of all incidents. The 2026 Key Forecasts Report projects this trend will continue, with ransomware diversification and AI-assisted campaigns driving further volume increases.
Infrastructure churn adds another layer of difficulty. Attackers spin up and tear down domains, C2 servers, and phishing sites within hours. By the time an IOC (indicator of compromise) lands in a threat feed, the infrastructure behind it may already be abandoned and replaced.
Common malware delivery paths that security teams need to account for include phishing emails with malicious attachments or links, drive-by downloads from compromised or spoofed websites, trojanized software distributed through legitimate-looking channels, QR codes embedded in physical or digital media that redirect to malicious payloads, and credential-harvesting pages designed to look identical to trusted services.
The throughline across all of these vectors is that raw alerts alone are not enough. Detection without context creates noise. Context without action creates reports that sit in queues. Protection, in practice, means connecting the signal to proof to action, quickly enough to matter.
Malware is not an equal-opportunity threat. The objectives and tactics shift depending on the industry being targeted. Understanding how malware campaigns are designed for your sector helps security teams anticipate what's coming rather than reacting after the fact.
In the past year, our intelligence team found that the five most heavily targeted industries (manufacturing, professional services, construction, healthcare, and retail) accounted for approximately 60% of all ransomware and digital extortion incidents in Q4 2025. Read on for the full breakdown by industry.
Healthcare remains the most targeted industry for ransomware, and the consequences extend well beyond data loss. In February 2026, theUniversity of Mississippi Medical Center fell victim to a ransomware attack that took its Epic electronic health record system offline across 35 clinics and more than 200 telehealth sites, forcing the cancellation of chemotherapy appointments and the postponement of non-emergency surgeries. Medical staff reverted to paper-based workflows while patients bore the consequences.
This is becoming routine, not exceptional. In 2024, 67% of healthcare organizations worldwide faced ransomware attacks, up from 60% the prior year. The average breach cost in healthcare now exceeds $10 million as patient data commands premium prices on criminal marketplaces because medical records contain a dense combination of Social Security numbers, insurance details, billing information, and complete medical histories. And the operational pressure is immense: healthcare systems cannot tolerate extended downtime without directly affecting patient care, which gives ransomware operators enormous leverage.
Meanwhile, ZeroFox Intelligence continues to track healthcare-related breach data being offered for sale on dark web forums. Ina recent Underground Economist report, a threat actor advertised over 500,000 records allegedly exfiltrated from UnitedHealth Group, including Social Security numbers, birth dates, and home addresses, priced at $350,000 for the full dataset.
Manufacturing has been the most targeted industry for ransomware since at least 2021, and the trend is accelerating. ZeroFox Intelligence observed at least 413 ransomware and digital extortion incidents targeting manufacturers in Q4 2025, a 69% increase from Q3, accounting for nearly 20% of all global incidents. The Cl0p ransomware collective was particularly aggressive against the sector, with manufacturing representing approximately 30% of its Q4 attacks.
The real-world impact is severe. Nearly80% of UK manufacturers reported being hit by a cyber incident in the past year, according to research from ESET, with more than half reporting lost revenue as a direct result. In over half of the worst incidents, losses surpassed £250,000. When Jaguar Land Rover was forced to halt production following a cyberattack in 2025, the wider economic impact was estimated at around £1.9 billion once suppliers, delays, and lost output were factored in.
Manufacturing environments are especially vulnerable because of the convergence of IT and operational technology (OT) networks. Legacy systems that are difficult to patch, interconnected supply chains, and low tolerance for production downtime all create leverage for attackers. Most outages stretch into days, sometimes approaching a week, with knock-on effects that linger well after systems come back online. Despite this, one in five manufacturers said they have limited or no insight into the cybersecurity threats that could affect production.
Financial institutions are high-value targets for credential theft, fraud, and data exfiltration. In February 2026,payment processing network BridgePay suffered a ransomware attack that took its APIs, virtual terminals, and payment pages completely offline, directly disrupting transaction processing for merchants and businesses that depend on it.
Threat actors deploy malware designed to harvest banking credentials, intercept wire transfers, and compromise payment systems. TheZeroFox guide on impersonations and brand abuse in financial services documents how phishing campaigns targeting financial services employees and customers continue to grow in volume and sophistication, with AI-generated lures making fraudulent communications nearly indistinguishable from legitimate ones.
Colleges, universities, and school districts are attractive targets because of their open network architectures, large user populations, and often limited security budgets. The Interlock ransomware group has specifically targeted educational institutions,deploying its NodeSnake RAT against UK universities to establish persistent network access. These attacks typically begin with phishing emails carrying malicious links or attachments, exactly the kind of threat that malware sandboxing is designed to catch.
Education institutions house significant volumes of personal data, including student records, financial aid information, and research data, while operating environments that prioritize accessibility over restriction. The combination of valuable data and porous security postures makes them reliable targets for ransomware groups looking for low-resistance entry points.
SaaS companies and startups face a unique risk profile. They move fast, they build on shared cloud infrastructure, and their products often handle sensitive customer data. Security teams tend to be small, and the speed of development can outpace security review.
For threat actors, compromising a SaaS provider is a force multiplier: a single breach can expose data from hundreds or thousands of downstream customers. AI is accelerating this problem. IBM X-Force recentlydocumented the Slopoly malware strain, a backdoor likely generated using a large language model and deployed by the Hive0163 threat group during an Interlock ransomware attack. The malware allowed attackers to maintain persistent access to a compromised server for over a week. As IBM noted, AI-generated malware like Slopoly shows how easily threat actors can develop new frameworks "in a fraction of the time it used to take," reducing the barrier for less-skilled operators to launch attacks against targets that may assume their size or obscurity protects them.
Retail ranked among the five most targeted industries in every quarter of 2025, according to the ZeroFox Intelligence team’s research, with concentrated risk during peak commerce periods when operational disruption carries maximum financial consequence. Across all industries, publicly disclosed ransomware attacks surged 49% year-over-year in 2025, reaching 1,174 confirmed incidents, and retail faces seasonal spikes that align with high-traffic shopping periods. Point-of-sale systems, e-commerce platforms, and loyalty program databases remain frequent targets.
Social engineering campaigns impersonating major brands are also a significant vector. Fraudulent promotions, fake customer service channels, and spoofed domains are used to harvest credentials and payment information. These campaigns exploit customer trust in established brands, leading to loss of revenue and harmed brand reputation.
Most organizations have layers of detection in place: endpoint detection and response (EDR), email security gateways, web proxies, network intrusion detection. Each of these layers catches something but none of them catch everything.
The core detection problem for modern security teams isn't a lack of tools. It's the combination of alert volume and uncertainty. Consider this series: An email gateway flags a suspicious attachment. A web proxy logs a connection to a newly registered domain. An endpoint agent quarantines a file it hasn't seen before. Each event might be malicious, or it might be routine.
The result is a growing queue of "maybes" that require human judgment to resolve, and the analysts responsible for that judgment are already stretched thin. The gap between what detection tools flag and what teams can confidently act on is where malware protection programs succeed or fail.
Detection finds "maybe." Protection requires proving "yes" or "no," and then doing something about it.
Malware analysis sits between detection and response. Its job is to answer four questions: Is this actually malicious? What does it do? What indicators can we extract? And what should we do next?
The outputs SOC teams need from analysis are practical: a verdict with a confidence level, IOCs (file hashes, domains, IPs, URLs), behavioral indicators that reveal what the malware attempts to do at runtime, and, when possible, attribution to a known malware family. These outputs feed directly into response actions, from blocking indicators across the environment to initiating takedown workflows against attacker infrastructure.
Analysis is where the work of turning raw suspicion into actionable intelligence happens. It's also where many teams hit a bottleneck, because thorough analysis takes time, expertise, and the right tooling.
There are two fundamental approaches to malware analysis, and understanding when to use each one is critical for efficiency.
Static analysis examines a file without executing it. This includes inspecting metadata, file structure, embedded strings, cryptographic hashes, and signature matches against known malware databases. Static analysis is fast and low-risk. It can confirm known threats in seconds and provide a first-pass assessment of suspicious files. Where it falls short is with novel or obfuscated malware: if the sample is packed, polymorphic, or specifically designed to evade signature-based detection, static analysis alone may produce an inconclusive or false-negative result.
Dynamic analysis executes the sample in a controlled environment and observes its behavior at runtime. This reveals what the malware actually tries to do: Does it attempt to contact external servers? Does it modify system files? Does it try to escalate privileges, exfiltrate data, or download additional payloads? Dynamic analysis is more definitive because it captures behavior rather than relying on known patterns. It's also more resource-intensive, requiring isolated execution environments that prevent any malicious activity from escaping containment.
In practice, the decision of when static is sufficient and when dynamic analysis is warranted comes down to risk. If a file matches a known signature with high confidence, static analysis is enough to block and move on. If the file is unknown, if it arrived through a high-risk vector (like a targeted phishing campaign against executives), or if static results are inconclusive, dynamic analysis provides the certainty needed to take decisive action.
This is where malware sandboxing enters the picture: as the safest, most scalable way to operationalize dynamic analysis for security teams that need results quickly and can't afford to guess.
A malware sandbox is an isolated environment purpose-built for detonating suspicious files, URLs, and other artifacts without putting production systems at risk. Think of it as a controlled test lab where you can let malware do its worst, watch what happens, and capture the evidence, all without any of that activity touching your actual network.
Sandboxing matters because it solves two problems simultaneously. First, it gives analysts a definitive answer. Rather than relying on heuristics or partial signals, sandboxing produces a behavioral report showing exactly what a sample tried to do. Second, it compresses triage time. Instead of manually investigating ambiguous alerts, analysts can submit a sample and get a verdict backed by evidence, often in minutes.
"It's a safe place to test and validate malware," explains Flores. "If you think something is malware, put it in the sandbox, to validate that it is. We'll tell you whether it's yes or no, give you your indicators of compromise, and tell you how they would have done this to you if it detonated within your servers."
For security teams drowning in alert volume, sandboxing shifts the workflow from investigating everything manually to validating quickly to act decisively. That shift is how teams scale without burning out.
The term "detonation" in the context of malware sandboxing refers to the controlled execution of a suspicious sample within an isolated environment. The sample runs as it would on a real system, interacting with a simulated operating system, network stack, and file system, while every action is logged and analyzed.
Here's what that looks like in practice:
Suspicious email attachment. An employee receives a spreadsheet attachment that passed the email gateway but looks off. Rather than opening it on a corporate machine, the file is submitted to the sandbox. The sandbox executes the file, discovers it attempts to run a macro that downloads a second-stage payload from an external server, and flags it as malicious. The analyst now has the external domain, the payload hash, and a behavioral report documenting the full attack chain.
URL from a phishing campaign. A domain monitoring alert surfaces a newly registered domain mimicking your brand. The URL is submitted to the sandbox, which loads it in a headless browser, captures screenshots, and records that the page harvests credentials and drops a cookie-stealing script. The evidence package, including the sandbox report, supports an immediatetakedown request.
QR code from a quishing attack.QR codes have become an emerging phishing vector because they're difficult to inspect before scanning. Submitting the QR code to a sandbox that can decode and follow the embedded URL lets teams safely determine where it leads and what it does, without exposing anyone to the payload.
Jill Cagliostro, Director of Product Management at ZeroFox, highlights why behavioral analysis in sandboxing is particularly valuable: "It's actually going to mess with the malware, see if it can trick it into doing things. It can even catch simple things, like a site downloading your cookie history. That isn't inherently malicious, but it's very suspicious, especially if something is impersonating your brand."
The detonation outputs connect directly to action. Extracted IOCs can be fed into blocking rules. Behavioral reports provide evidence for takedown requests. And the MITRE ATT&CK mapping that accompanies most sandbox reports helps teams route indicators to the right defensive tools, because, as Cagliostro notes, "you don't want to be putting a file indicator in your firewall. That's got to get to the endpoint solution."
Safe detonation depends on proper isolation. The sandbox environment must be fully contained, with no path back to production systems. Network egress should be controlled and monitored, allowing the malware to "phone home" enough to reveal its C2 behavior while preventing actual data exfiltration. Every action, from file system changes to registry modifications to network connections, should be logged for post-detonation analysis.
When should you detonate versus simply block? If you've never seen a sample before and it arrived via a targeted vector, detonation gives you intelligence you can't get any other way. If a file matches a known-bad signature with high confidence, blocking is faster and sufficient. The common mistake is treating every file the same way: either sandboxing everything (which wastes credits and time) or blocking everything without validation (which misses novel threats and produces no intelligence).
Another operational mistake to avoid is relying on a single sandbox verdict as absolute truth. Different sandbox engines can produce different results from the same sample, particularly with evasive malware designed to detect sandbox environments. Multi-engine analysis, where a sample is evaluated across multiple sandboxing environments and detection engines, provides stronger confidence than any single pass.
The value of sandboxing doesn't end with a verdict. The real payoff comes from feeding sandbox outputs back into your security workflows to enrich alerts and accelerate decisions.
Alert enrichment, in the malware context, means attaching verdict data, extracted IOCs, and behavioral context directly to the original detection event. When an analyst opens an alert, instead of seeing just "suspicious file detected," they see the sandbox verdict, the domains the file tried to contact, the processes it spawned, and the MITRE ATT&CK techniques it employed. That context eliminates the back-and-forth of manual investigation and brings time-to-decision down from hours to minutes.
Practical enrichment outputs include URL and domain indicators associated with malware command and control, file hashes (MD5, SHA-1, SHA-256) for blocking and hunting, network beacons and communication patterns, dropped files and secondary payloads, and process trees showing the execution flow.
Process trees deserve a specific mention. As Cagliostro explains: "Process trees are a great way to see how malware is going to try and hide itself, so you can go hunt through your organization to see if there are any artifacts that have been changed that align to what you see in the malware sandbox." This is how sandboxing goes beyond validation and directly supports threat hunting.
For teams running a SIEM (Security Information and Event Management) platform, the goal of sandbox integration is straightforward: sandbox results should flow into the SIEM to add context and reduce noise.
A typical workflow looks like this: a detection event triggers a sandbox submission. The sandbox detonates the sample and produces a verdict, IOCs, and behavioral indicators. Those results are ingested by the SIEM, enriching the original event with the context analysts need to make a fast decision. The analyst triages the enriched alert with significantly more confidence than they would have from the raw detection event alone.
What to track when measuring the effectiveness of this integration: verdict confidence scores, extracted IOCs per submission, time-to-verdict (how long from submission to result), and whether enriched alerts correlate to faster containment times. These metrics give SOC leaders a clear picture of how sandboxing is contributing to operational efficiency.
SOAR (Security Orchestration, Automation, and Response) platforms take sandbox integration a step further by automating the actions that follow a verdict.
Practical automations that teams should consider: automatic submission of artifacts (files, URLs, hashes) from detection events to the sandbox, automatic case creation with the sandbox report attached, automatic blocking of high-confidence IOCs with human approval gates for medium-confidence results, and automatic notification to relevant stakeholders when a confirmed threat is identified.
The principle here is that automation and validation working together is how teams scale without adding headcount. Automation without validation creates false-positive risk. Validation without automation creates bottlenecks. The combination of the two is where teams find sustainable operational rhythm.
Once malware is confirmed, the clock is ticking. The response sequence follows a practical, repeatable pattern: contain, eradicate, recover, and learn.
Contain means stopping the spread immediately. Isolate affected hosts, block confirmed malicious indicators across the network, and cut off communication with C2 infrastructure. The goal is to shrink the blast radius while you work the problem.
Eradicate means removing the malware and closing the access path it used to get in. This includes wiping and reimaging compromised systems, revoking stolen credentials, and patching the vulnerability or misconfiguration that allowed initial access.
Recover means restoring normal operations from known-good backups, validating that systems are clean, and confirming that business processes are functioning correctly.
Learn means conducting a post-incident review that feeds back into your detection and prevention posture. This is where threat intelligence provides the most long-term value: linking the incident to known campaigns, identifying related indicators to hunt for across the environment, and updating detection rules to prevent recurrence. Threat intelligence feeds can automate much of this enrichment, pushing updated IOCs into blocking tools as new intelligence becomes available.
Intelligence is the connective tissue throughout the entire response cycle. Without it, response is reactive and isolated. With it, every incident becomes an opportunity to strengthen the organization's defenses against the next one. The ZeroFox Intelligence team tracks these patterns across time, providing the campaign-level context that helps teams anticipate what's coming rather than just reacting to what already arrived.
Use this as a practical assessment of your malware protection readiness.
Detection and Visibility
Analysis and Validation
Integration and Workflow
Response and Containment
Measurement and Improvement
ZeroFox approaches malware protection through the same continuous cycle that drives everything across the platform: Discover, Validate, Disrupt.
Discover starts with visibility. ZeroFox continuously monitors the external attack surface, including domains, social media, deep and dark web forums, and threat actor infrastructure, to identify malware campaigns, phishing kits, and malicious infrastructure before they reach your environment. Intelligence Search lets analysts pivot across 12 billion+ correlated signals to trace threats from initial indicator to full campaign picture.
Validate is where the new ZeroFox Malware Sandbox changes the game. Built in partnership with PolySwarm, the sandbox provides on-platform submission of files, URLs, hashes, and QR codes for multi-engine inspection. Every submission runs through dual-engine analysis: dynamic behavioral analysis that executes the sample in isolated environments, and static deconstruction that identifies hidden malicious intent. An AI-powered engine translates complex technical indicators into clear, high-level summaries. The result is a verdict analysts can trust, with the IOCs and MITRE ATT&CK mapping needed to act on it.
Cagliostro highlights what makes the ZeroFox approach in partnership with PolySwarm different from competitors: "What PolySwarm specializes in is discovering net-new malware. They have their team of malware reverse engineers constantly looking for new ways to discover undiscoverable malware. They currently have the best discovery rate of all the sandbox providers."
ZeroFox customers with an Intelligence Search license receive 25 sandbox scans per month at no additional cost, with the full premium analysis capabilities included. The scans run in a private instance, meaning there are no data privacy concerns if sensitive files are submitted for analysis.
Disrupt is the capability that no other vendor in the space can match inline. Sandbox results feed directly into ZeroFox's takedown and disruption workflows. When a sandbox report confirms that a domain impersonating your brand is serving malware, that evidence package, produced by a third-party analysis engine, gives registrars and hosting providers the proof they need to approve a takedown without hesitation.
Cagliostro explains, “These sandbox results can be very valuable for registrars to understand why something is bad, and make it a lot easier for them to take it down. If there's evidence from another third party, it helps them understand this is truly bad, we should help the internet and take it down.”
This is the distinction that matters. Other threat intelligence platforms stop at observation. Takedown vendors lack sandbox evidence. ZeroFox is the first to connect malware validation directly to threat disruption in a single workflow: Discover the threat. Validate it with sandbox evidence. Disrupt it with a takedown backed by proof.
Request a demo to see ZeroFox malware sandboxing in action.