Report a cybercrime, cyber security incident or vulnerability.
Report

What are you looking for?

You can search for keywords to find pages that can help you e.g. scam
First published: 11 Apr 2023
Last updated: 10 Nov 2023

Content written for

Individuals & families
Small & medium business

I’m a victim of a malware attack. What should I do?

Malware (short for 'malicious software') is software that cybercriminals use to gain access to or harm your device or network. Malware attacks can target individuals, for example, a targeted email sent to your email address. Or they can target many users, for example, with a fake download link that secretly installs malware.

Warning signs

Some common signs that a device is infected with malware are:

  • You notice unusual account activity, for example, logins from an unusual location or at an unusual time, or your passwords have been changed and you are unable to access your accounts
  • Your device consistently slows down, overheats, battery drains fast or runs its cooling fan faster than usual (these are signs that your processor is running at capacity)
  • Unexpected files and programs on your device. You may notice new programs, toolbars and icons have been installed
  • Unable to access files, or ransom demands for release of your files
  • You consistently see error messages that you never used to see
  • Your web browser automatically takes you to a web page you did not intend to open
  • Suspicious pop-up ads about updating or downloading a program
  • Someone knows something that they could only have found out if they had access to your device.

A malware attack can have serious and ongoing impacts. Malware can also act as an entry point for cybercriminals, opening the door to further malicious activity.

Steps to take if your device is infected with malware

A guide to removing malware, recovering your files and protecting yourself against future attacks.

This guide has simple steps to follow if you are a victim of a malware attack. Not all malware attacks are the same, so some of these steps may not apply to your situation. If you are unsure of what steps to take, consider seeking professional IT assistance.

Before you begin

  • If you can no longer access your files or have received a ransom note, it is possible you have been infected with ransomware. For specific recovery advice, follow our guidance on ransomware.
  • If you suspect your device is infected with malware due to unusual activity on one of your accounts, start by following ASD's ACSC’s guidance on account compromise. You should secure important accounts like bank accounts and email accounts as a priority.
  • As you complete the steps below, avoid entering passwords or other sensitive information on your infected device. Some malware can log your keystrokes and steal any sensitive information you input. If you need to change your passwords, ensure that the device you use is clean of malware.

Call the Australian Cyber Security Hotline on 1300 CYBER1 (1300 292 371) if you need cybersecurity assistance.

Report a cybercrime or security incident to ASD's ACSC using ReportCyber. ASD takes protecting your information seriously. Under the limited use obligation, information that industry organisations voluntarily provide ASD about cybersecurity incidents, potential incidents or vulnerabilities impacting your organisation cannot be used for regulatory purposes. This includes any information that is acquired or prepared by ASD with you organisation's consent.

Detect and remove malware

What type of device are you using?

Answer the question above to see steps to detect and remove malware from your device.

Phone or tablet

For most people, the best way to remove malware from a phone or tablet is to factory reset the device. Before you do this, make sure you back up your important information. In most cases, it is safe to back up photos, videos, contacts and messages to your device’s cloud service.

When looking for photos to back up, remember that photos you’ve been sent might be saved in a different location than photos from your camera roll. If you’d like to back up other types of files from your phone or tablet, speak to an IT professional first to make sure you don’t accidentally back up an infected file.

After backing up your information, factory reset your device to remove any malware. Be aware that a factory reset will permanently delete all of your information, so make sure you’ve completed step 1 and recovered what information you can first.

The steps to factory reset your phone or tablet vary across manufacturers. The manufacturer of your device will have guidance on their website. We’ve listed some resources below.

Now that you have factory reset your phone or tablet, restore the information you backed up in step 1.

The ACSC’s guidance on backups includes information on restoring your information.

Some forms of malware steal your passwords. As a precaution, you should change the passwords for any accounts you accessed from your infected device as soon as possible. Start with your most important accounts first.

What’s important will be different for everyone, but important accounts typically include:

  • cloud storage
  • email
  • social media
  • online banking
  • business accounts.

The ACSC has published guidance on using password managers and creating passphrases (a strong type of password).

As you change your passwords, consider enabling multi-factor authentication on supported accounts. Multi-factor authentication makes it harder for cybercriminals to get access to your accounts. The ACSC has published guidance on enabling multi-factor authentication

Visit ReportCyber to see if the incident should be reported to the ACSC.

It can be difficult to know how your device was infected with malware. If you suspect your device was infected with malware as part of a scam, report the incident to Scamwatch.

Additional reporting responsibilities for businesses

If you’re a business, depending on the severity of the malware compromise, you may have to notify your customers of the attack.

If your business holds sensitive information (such as financial or personally identifiable information), or is part of a government supply chain, you may also need to report the incident to regulators.

If you think you need to make a report, consult with the Office of the Australian Information Commissioner or seek legal or government support.

If applicable you may also need to contact:

  • The compromised website or product owner
    If the malware came from a compromised website or product, report the incident to its owner. This will help protect others from harm. Make sure you report it through an official email or phone number.
  • Services Australia
    Contact the Services Australia Scams and Identity Helpdesk. They provide support if you’ve sent personal details or money to someone pretending to be from a government service.
  • IDCARE
    Contact IDCARE if your personal information is at risk from a data breach. They’re a national identity and cyber support service for individuals and organisations.
  • Australian Taxation Office
    Contact the ATO if someone has stolen your personal or business identity. You must report all tax-related security issues to the ATO.

It can be difficult to know what information malware has accessed. After you have removed malware from your device, you should monitor your accounts in case they have been compromised. If you see any signs of suspicious activity, follow the ACSC’s guidance on account compromise.

Keep an eye out for any signs of identity theft following a malware incident.

Take some time to consider how your device was infected with malware so you can prevent the same thing from happening again.

The ACSC has published advice to help you protect against malware attacks.

This advice outlines precautions you can take to reduce the impact of malware attacks or prevent them from happening in the first place.

To keep up-to-date with the latest ACSC advice and guidance, consider joining our partnership program.

Laptop, computer, or other device

Check that you have antivirus software enabled on your device. Windows 10 and Windows 11 come with antivirus software called Microsoft Defender pre-installed. MacOS devices come with antivirus software called XProtect pre-installed. You may have also installed third-party antivirus software on your device.

Check that your antivirus software is receiving signature updates. If your antivirus software is on an expired subscription, you may need to renew the subscription or switch to a free alternative product to receive the latest signature updates.

The ACSC has published guidance on antivirus software.

Turn off your Bluetooth and Wi-Fi and disconnect your device from other networks and other devices, including external storage devices. This will reduce the risk that the malware spreads.

Use your antivirus software to run a full device scan to detect and remove any malware. Be aware that this scan could take a long time to complete.

  • If you are using third-party antivirus software, follow the instructions within your software program to run a full device scan.
  • If you’re running Windows Defender, follow Microsoft’s instructions under ‘Run an advanced scan in Windows Security’.
  • If you are using a MacOS device without any third-party antivirus software installed and are seeing signs of Malware, assume XProtect has failed to identify and block the malware and answer ‘yes’ in step 4.
Do you still see signs of malware?

More steps...

Some forms of malware steal your passwords. As a precaution, you should change the passwords for any accounts you accessed from your infected device as soon as possible. Start with your most important accounts first.

What’s important will be different for everyone, but important accounts typically include:

  • cloud storage
  • email
  • social media
  • online banking
  • business accounts.

The ACSC has published guidance on using password managers and creating passphrases (a strong type of password).

As you change your passwords, consider enabling multi-factor authentication on supported accounts. Multi-factor authentication makes it harder for cybercriminals to get access to your accounts. The ACSC has published guidance on enabling multi-factor authentication

Visit ReportCyber to see if the incident should be reported to the ACSC.

It can be difficult to know how your device was infected with malware. If you suspect your device was infected with malware as part of a scam, report the incident to Scamwatch.

Additional reporting responsibilities for businesses

If you’re a business, depending on the severity of the malware compromise, you may have to notify your customers of the attack.

If your business holds sensitive information (such as financial or personally identifiable information), or is part of a government supply chain, you may also need to report the incident to regulators.

If you think you need to make a report, consult with the Office of the Australian Information Commissioner or seek legal or government support.

If applicable you may also need to contact:

The compromised website or product owner:
If the malware came from a compromised website or product, report the incident to its owner. This will help protect others from harm. Make sure you report it through an official email or phone number.

Services Australia:
Contact the Services Australia Scams and Identity Helpdesk. They provide support if you’ve sent personal details or money to someone pretending to be from a government service.

IDCARE:
Contact IDCARE if your personal information is at risk from a data breach. They’re a national identity and cyber support service for individuals and organisations.

Australian Taxation Office:
Contact the ATO if someone has stolen your personal or business identity. You must report all tax-related security issues to the ATO.

It can be difficult to know what information malware has accessed. After you have removed malware from your device, you should monitor your accounts in case they have been compromised. If you see any signs of suspicious activity, follow the ACSC’s guidance on account compromise.

Keep an eye out for any signs of identity theft following a malware incident.

Take some time to consider how your device was infected with malware so you can prevent the same thing from happening again.

The ACSC has published advice to help protect you against malware attacks.

This advice outlines precautions you can take to reduce the impact of malware attacks or prevent them from happening in the first place.

To keep up-to-date with the latest ACSC advice and guidance, consider joining our partnership program.

If you still see signs of malware on your device, you may need to perform a factory reset. Be aware that a factory reset will delete all of your data, so ensure you have followed the steps below to back up your device safely first.
Do you have a backup?

It may still be possible to make a secure copy of your data but you will likely need help from an IT professional. Consider how important the affected information is to you and how much you are willing to pay for professional help to back it up.

Is the backup on your infected device?

Your backup may be infected with malware. It may still be possible to make a secure copy of your data but you will likely need help from an IT professional. Consider how important the affected information is to you and how much you are willing to pay for professional help to back it up.

Was the backup connected to your infected device at any point since the infection?

Your backup may be infected with malware. It may still be possible to make a secure copy of your data but you will likely need help from an IT professional. Consider how important the affected information is to you and how much you are willing to pay for professional help to back it up.

Have you sought the help of an IT professional?

Even though you don’t have a secure backup, you should still follow the steps below to factory reset your device. Just be aware that doing so will wipe all your data.

Great. Make sure you don't connect the backup to your infected device or network. Follow the steps below to perform a factory reset and remove the malware from the infected device first.

Your backup should be secure. Make sure you don't connect the backup to your infected device or network. Follow the steps below to perform a factory reset and remove the malware from the infected device first.

After backing up your information, remove any malware by wiping all infected drives and devices and reinstalling their operating systems. Be aware that this step will permanently delete all of your information, so make sure you’ve completed step 5 and recovered what information you can first.

Remember that malware can spread across a network. We recommend following this step for all drives and devices that were on the same network as the infected device at any point since the infection.

The steps to wipe your drives and devices vary across manufacturers. The manufacturer of your drive or device will have guidance on their website. We’ve listed some resources below.

Apple Mac devices: Apple Support
Microsoft Windows devices: Microsoft Support (search for the article "Recovery options in Windows")

Now that you have removed the malware from the affected drives and devices, it is safe to connect them to your backups and restore your information. Remember the guidance in Step 5; only restore information from a backup if you are confident that it is free from malware.

The ACSC’s guidance on backups includes information on restoring your information.

Some forms of malware steal your passwords. The ACSC has published guidance on using password managers and creating unique passphrases, a strong type of password. As a precaution, you should change the passwords for any accounts you accessed from your infected device as soon as possible. Start with your most important accounts first.

What’s important will be different for everyone, but important accounts typically include:

  • cloud storage
  • email
  • social media
  • online banking

The ACSC has published guidance on using password managers and creating passphrases (a strong type of password).

As you change your passwords, consider enabling multi-factor authentication on supported accounts. Multi-factor authentication makes it harder for cybercriminals to get access to your accounts. The ACSC has published guidance on enabling multi-factor authentication.

Visit ReportCyber to see if the incident should be reported to the ACSC.

It can be difficult to know how your device was infected with malware. If you suspect your device was infected with malware as part of a scam, report the incident to Scamwatch.

Additional reporting responsibilities for businesses

If you’re a business, depending on the severity of the malware compromise, you may have to notify your customers of the attack.

If your business holds sensitive information (such as financial or personally identifiable information), or is part of a government supply chain, you may also need to report the incident to regulators.

If you think you need to make a report, consult with the Office of the Australian Information Commissioner or seek legal or government support.

If applicable you may also need to contact:

The compromised website or product owner
If the malware came from a compromised website or product, report the incident to its owner. This will help protect others from harm. Make sure you report it through an official email or phone number.

Services Australia
Contact the Services Australia Scams and Identity Helpdesk. They provide support if you’ve sent personal details or money to someone pretending to be from a government service.

IDCARE
Contact IDCARE if your personal information is at risk from a data breach. They’re a national identity and cyber support service for individuals and organisations.

Australian Taxation Office
Contact the ATO if someone has stolen your personal or business identity. You must report all tax-related security issues to the ATO.

It can be difficult to know what information malware has accessed. After you have removed malware from your device, you should monitor your accounts in case they have been compromised. If you see any signs of suspicious activity, follow the instructions on the 'Have you been hacked? - I can’t access my account, or I’ve noticed unusual account activity' page.

Keep an eye out for any signs of identity theft following a malware incident.

Take some time to consider how your device was infected with malware so you can prevent the same thing from happening again.

The ACSC has published advice to help protect you against malware attacks.

This advice outlines precautions you can take to reduce the impact of malware attacks or prevent them from happening in the first place.

To keep up-to-date with the latest ACSC advice and guidance consider joining our partnership program.

Was this information helpful?

Thanks for your feedback!

Optional

Tell us why this information was helpful and we’ll work on making more pages like it