Cybersecurity - Lesson 1

Cybersecurity - Lesson 1 of 6

Forms of Attack - Malware

Six types of malware. They look similar in questions but have precise, examinable differences. By the end of this lesson you'll be able to name, define and distinguish all six - and avoid the most common exam mistakes.

45 - 60 min Virus, Worm, Trojan, Ransomware, Spyware, Keylogger

Opening scenario

You open an email attachment - a CV from a job applicant. Nothing seems to happen. The document closes. You carry on with your day. Three days later, every file on the school network is encrypted and a message demands £15,000 in Bitcoin. You have 72 hours.

Think about it: The attack happened silently, three days before anyone noticed. What type of malware does that? And how was it different to a virus that shows symptoms immediately?

The answer involves understanding the precise differences between malware types. In this lesson, you'll learn exactly what each type is, how it spreads, and what distinguishes it from the others - because examiners test those distinctions specifically.

Why this matters in the exam

Questions about malware appear in virtually every paper. The most commonly lost marks are students writing "a virus spreads through a network automatically" (that's a worm) or "a trojan self-replicates" (it doesn't). Precision with malware definitions is a guaranteed mark opportunity.

Section 1

What is malware?

Malware is an umbrella term for any software deliberately designed to disrupt, damage, gain unauthorised access to, or extract data from a computer system. The word combines "malicious" and "software".

There are six types you need to know for GCSE Computer Science. They differ in three key ways: how they spread, what they do once installed, and whether they replicate.

Malware

Any software designed to harm, exploit or gain unauthorised access to a computer system.

Infection vector

The route through which malware enters a system (email attachment, download, USB drive, network connection).

Self-replication

The ability of malware to copy itself and spread to other files, programs, or devices automatically.

Payload

The harmful action malware performs once it has infected a system (e.g. deleting files, encrypting data, capturing keystrokes).

Section 2

The six malware types - click each to expand

Each type has specific characteristics. Click to expand, read the exam tip, and note the common misconception.

Virus

Attaches to files - needs user action to spread

A virus attaches itself to a legitimate file or program. It only spreads when the infected file is opened or shared. Without user action - someone running the infected program or sending the file - the virus cannot spread further.

How it spreads

Via infected email attachments, downloads, infected USB drives, or shared files. Requires user action at each step.

Exam tip: When a question asks how a virus spreads, always mention that it requires user action. This distinguishes it from a worm.

Common mistake: Writing that a virus "spreads automatically across a network." That is a worm. A virus needs someone to open or share the infected file.

Worm

Self-replicates across networks - no user action needed

A worm self-replicates and spreads across networks automatically, without any user action. It exploits network vulnerabilities, moving from device to device on its own.

How it spreads

Automatically across network connections, exploiting security vulnerabilities in operating systems and services. Does not need a user to open a file.

Exam tip: The defining feature of a worm is automatic spread with no user interaction. Emphasise this in any answer.

Common mistake: Confusing worms with viruses. Remember: worm = automatic spread; virus = needs human action.

Trojan

Disguised as legitimate software - does not self-replicate

A trojan is malware disguised as legitimate, useful software. The user installs it willingly, not knowing it contains malicious code. Unlike viruses and worms, trojans do not self-replicate - they rely entirely on users downloading and running them.

How it spreads

Through fake downloads - pirated software, fake utilities, unofficial game downloads. The user actively installs it believing it is genuine.

Exam tip: Always mention two things: (1) it disguises itself as legitimate software, and (2) it does NOT self-replicate. Both points are commonly tested.

Common mistake: Writing that a trojan spreads automatically. It does not - it relies on social engineering to get users to install it.

Ransomware

Encrypts files, demands payment

Ransomware encrypts the victim's files, making them completely inaccessible. The attacker then demands a ransom payment (typically in cryptocurrency) in exchange for the decryption key. Even if paid, there is no guarantee files will be restored.

How it spreads

Often delivered as an email attachment, malicious download, or via other malware already on the system. Once on one device, it often spreads to network drives too.

Exam tip: Be specific - ransomware encrypts files, not just "locks" or "deletes" them. The encryption point is what makes it particularly devastating and is what examiners want to see.

Common mistake: Saying ransomware "deletes" files. It encrypts them - the data is still there but unreadable without the key.

Spyware

Secretly monitors activity - sends data to attacker

Spyware secretly monitors user activity and sends collected information to an attacker without the user's knowledge. It operates silently in the background, gathering browsing history, credentials, financial data, and personal information.

How it spreads

Bundled with legitimate software downloads, installed by trojans, or downloaded via deceptive browser pop-ups.

Exam tip: Emphasise the word secretly - spyware operates covertly. Also mention that it transmits data to the attacker, not just collects it.

Common mistake: Confusing spyware with keyloggers. Spyware collects broader data (browsing, screenshots, credentials). A keylogger specifically records keystrokes.

Keylogger

Records every keystroke

A keylogger records every keystroke made on the infected device and transmits this data to an attacker. This captures passwords, banking details, private messages, and anything else typed. Keyloggers can be software (installed malware) or hardware (a physical device plugged into the keyboard port).

How it spreads

Software keyloggers arrive like other malware - downloads, email attachments, trojans. Hardware keyloggers require physical access to plug in.

Exam tip: Keyloggers can be hardware or software - this distinction sometimes appears in exam questions. Mention both if asked to describe keyloggers generally.

Common mistake: Writing that a keylogger "hacks passwords". Be more precise: it records keystrokes and transmits them, so an attacker can then extract passwords from the captured data.

Section 3

How malware spreads - the key distinction

The most tested distinction in malware questions is how each type spreads. There are three spread mechanisms - and knowing which applies to which malware type is the difference between full and partial marks.

Needs user action

Virus - only spreads when an infected file is opened or shared by a user

Automatic across networks

Worm - replicates and spreads without any human involvement

Relies on deception

Trojan - user installs it, thinking it is legitimate software

Delivered by other malware

Ransomware, Spyware, Keylogger - often delivered via trojans, phishing or downloads

Malware Classifier

Match each description to the correct malware type. Drag each card to the right box.

Drag each description into the correct category:

Spreads across networks without user action

Encrypts files and demands payment

Disguised as legitimate software

Records every keystroke

Needs user to open a file to spread

Secretly monitors activity and sends data to attacker

Virus

Worm

Trojan

Ransomware

Spyware

Keylogger

Real-world malware: famous cases

These incidents are real. Understanding how they happened links exam theory to practice - and examiners love scenario questions based on real-world attacks.

How a ransomware attack unfolds

Ransomware does not appear from nowhere. It follows a predictable sequence of stages. Click through to see each stage, what the attacker does, and what the victim experiences.

Ransomware Attack Simulator

Stage 1 of 6 - Initial infection

Quick quiz

5-Question Check

Test your understanding before moving on

Question 1 of 5

Which malware type spreads across a network automatically, without any user action?

Question 2 of 5

A student downloads a free game from an unofficial website. Unknown to them, it installs software that gives an attacker remote access. What type of malware is this?

Question 3 of 5

After a malware infection, all files on a company network show as unreadable and a message demands £10,000. What type of malware caused this?

Question 4 of 5

Which statement correctly describes a keylogger?

Question 5 of 5

What is the key difference between spyware and a keylogger?

0/5

Questions answered correctly

Think deeper

A hospital is targeted by malware that encrypts patient records. The hospital pays the ransom but the attackers do not provide the decryption key. Explain two reasons why paying the ransom is not recommended.

Reason 1 - No guarantee of recovery: Once the ransom is paid, there is no obligation on the attacker to provide the decryption key. The hospital has already demonstrated willingness to pay, and attackers may simply take the money and disappear. Even if a key is provided, it may not successfully decrypt all files.

Reason 2 - Encourages further attacks: Paying confirms to attackers that the target is willing to pay. This makes the organisation a target for future attacks, and funds the attacker's criminal activity, enabling them to target other organisations. It also signals to other criminal groups that ransomware attacks on hospitals are profitable.

Printable Worksheets

Practice what you have learned

Three levels of worksheet for this lesson. Download, print and complete offline.

Recall

Malware Types

Key term definitions, malware type identification, and fill-in-the-blank spread mechanism tables.

Download

Apply

Infection Scenarios

Read each scenario and identify the malware type. Explain the mechanism that makes your answer correct.

Download

Exam Style

Exam-Style Questions

Extended response and evaluation questions on malware types, impacts, and real-world case studies.

Download

Cybersecurity Flashcards

Review all Cybersecurity terms with flashcards. Filter by lesson, shuffle, and track what you know.

Open Flashcards

Lesson 2: Social Engineering

Teacher Panel

L1: Forms of Attack - Malware

Suggested timing

0–5 min: Hook scenario - students read opening, discuss in pairs
5–20 min: Malware cards - students work through each, take notes
20–35 min: Classifier drag activity - pairs or individual
35–45 min: Quiz + Think Deeper discussion
45–60 min: Exit tickets + worksheet 1

Learning objectives

Define the term malware and name all six types

Explain how each malware type spreads and what it does

Distinguish between similar types (virus vs worm, spyware vs keylogger)

Apply knowledge to novel scenarios (exam-style)

Starter idea

Show the hook scenario on the board without the lesson content. Ask students: "What type of attack is described? How do you know?" Collect answers - most will say "virus" or "hack" generically, which sets up the lesson perfectly by revealing the precision needed.

Board vocabulary

Malware

Malicious software designed to harm or gain unauthorised access

Virus

Attaches to files; spreads only when user opens/shares infected file

Worm

Self-replicates across networks; no user action needed

Trojan

Disguised as legitimate software; does not self-replicate

Ransomware

Encrypts files and demands payment for decryption key

Spyware

Secretly monitors activity and sends data to attacker

Keylogger

Records every keystroke; can be software or hardware

Discussion prompts

Why might a hospital be specifically targeted with ransomware rather than spyware?

If a worm spreads automatically, why do devices still need human users to be vulnerable to them?

A keylogger can be hardware. What does this tell us about physical security?

Common misconceptions

✗"A virus spreads automatically across a network" - this is a worm.

✗"A trojan self-replicates" - it does not; it relies on the user installing it.

✗"Ransomware deletes your files" - it encrypts them; the data still exists but is inaccessible without the key.

✗"Spyware and keylogger are the same thing" - a keylogger is a type of spyware but records specifically keystrokes.

Exit tickets

Name and describe two malware types that spread WITHOUT requiring any user action.

[4 marks]

Explain the difference between a virus and a worm.

[2 marks]

A business finds that customer passwords have been stolen, but no files appear to have been damaged. Suggest which type of malware is most likely responsible and justify your answer.

[3 marks]

Resources

Worksheet 1 - Recall & Definitions Worksheet 2 - Application Questions Worksheet 3 - Exam Practice Unit Exam Paper (all 6 lessons) Cybersecurity Series Overview