Press Release

Ransomware tops X-Force Threat Intelligence Index 2022

Tue 12 Apr 2022

In new research by IBM, ransomware has been ranked among the top three threats in cyber security. This was among the top findings of IBM Security’s latest research published in the tenth annual X-Force Threat Intelligence Index


The report underscores the resilience of ransomware in netting millions of dollars for cyber-criminal gangs, and threatening to disrupt businesses, supply chains and whole industries. Manufacturing bore the brunt of these attacks, as the industry climbed the rankings to be the top-most attacked industry, surpassing finance and insurance for the first time since 2016.

Furthermore, the report highlights the resurgence in phishing attacks as the top initial attack vector. Vulnerability exploitation was right behind phishing as the number two attack vector, while the number of disclosed vulnerabilities continues to surge to record highs. The vulnerability in Apache Log4j was quickly exploited after it was discovered in December, showing the capability of threat actors to jump on newly disclosed security vulnerabilities to launch their attacks.

Ransomware still the top threat

Ransomware was the top attack type in 2021, edging out server access attacks, business email compromise (BEC), data theft and credential harvesting. However, while the volume of ransomware attacks remained consistent year-over-year, the share of attacks detected by IBM Security X-Force that were ransomware declined, dropping from 23% of attacks in 2020 to 21% of attacks in 2021. The most likely cause for this drop in ransomware was law enforcement action.

The resilience of REvil

In October 2021, members of the ransomware group, known as REvil were arrested in Russia, and the group apparently went dark or disbanded after that. REvil was one of the most successful ransomware gangs globally, before the October shutdown. In 2020, the group made estimated profits of at least $123 million, according to conservative X-Force estimates. In 2021, 37% of all ransomware attacks X-Force observed were from REvil. The group had been in existence at least since April 2019, and with a 31 month lifespan, persisted much longer than the 17-month average X-Force has identified for ransomware groups.

Ransomware as a share of attacks peaked at 33% in June of last year, after the ransomware attack that shut down Colonial Pipeline in May. There is a history of seasonality in ransomware attacks—although more ransomware actors took “time off” in 2021 than in a typical year, perhaps fearing a crackdown, as ransomware plummeted to zero percent of attacks in August. Ransomware bounced back in October, to 25% of attacks, before plunging again to 5% in November, after the REvil takedown.

Yet ransomware resurged, rising to a peak of 29% in December, putting this threat’s resilience on display.

Ransomware is definitely not gone, despite high-profile takedowns and arrests. There are just too many attackers out there, affiliates and malware groups looking for big bounties, and we expect to see ransomware bump up again during 2022. What comes after REvil? Will there be a surge in Ryuk, the second most successful ransomware group? It’s difficult to say. Perhaps these groups will rebound or re-emerge under different names. Hopefully, law enforcement will have more of an impact going forward, deterring cybercriminals and potential newcomers in the ransomware business.

  • Recommendation: Maturing a zero trust security model, where a breach is assumed and the goal is to increase the difficulty for an attacker to move throughout a network, makes it harder for ransomware to spread through your organisation, even after an initial compromise. Limit domain administrator accounts and protect privileged accounts, strictly auditing who is accessing admin accounts and when, and looking for suspicious activity. Secure Active Directory to protect a “gold mine” of passwords for hackers. And restrict common lateral movement pathways through network segmentation where possible.

Phishing and vulnerability exploitation

Phishing was the most common initial attack vector—how threat actors initially broke through security defences to infiltrate organizations. Phishing was used in 41% of attacks that X-Force remediated, surging from 2020 when it was responsible for 33% of attacks. Vulnerability exploitation was close behind, leading to 34% of attacks X-Force observed.

The phishing kits that threaten actors’ use with limited gains generally last for only about a day before the malicious domains are blocked. Often these kits are after account credentials to different online services. They typically leverage news events or imitate popular technology and banking brands, drawing on the original website’s code, look and feel, to get past human defences.

Targeted phishing campaigns that are used in attacks on company networks proved far more successful in 2021. X-Force Red, IBM Security’s team of hackers, found in its simulated phishing campaigns that the average click rate for a targeted phishing campaign was 17.8%. When vishing (voice phishing) phone calls were added to the campaign, the click rate rose to 53.2%, three times as effective.

Several ransomware groups, including REvil, used phishing effectively to gain initial access to networks, and used it to stage their attacks throughout 2021.

  • Recommendation: Perimeter defences and user education are not enough to stop phishing, but they are part of the layers of defence one should have in place. To further mitigate risks, implement several defences that can help to catch malware or lateral movement quickly should a phishing email slip through. Think about user behavior analytics (UBA), behavioural-based anti-malware detection, endpoint detection and response (EDR), intrusion detection and prevention solutions.

Learn more in the X-Force Threat Intelligence Index

There’s much more to learn about the current threat landscape in the X-Force Threat Intelligence Index.

Visit ibm.biz/xforcethreatindex to see more of the top themes and key stats discussed in the report –  download the full report.

Send us a correction Send us a news tip