For the third year in a row, ransomware was the top attack type globally in 2021, despite some successes last year by law enforcement to take down ransomware groups. This was among the top findings of IBM Security’s latest research published in the tenth annual X-Force Threat Intelligence Index, a comprehensive overview of the global threat landscape based on data collected from January to December 2021.

The report underscores the resilience of ransomware, which nets millions of dollars for cybercriminal gangs and threatens to disrupt businesses, supply chains and whole industries. Manufacturing bore the brunt of these attacks, as the industry climbed the rankings to be the top-most attacked industry, surpassing finance and insurance for the first time since 2016.

Furthermore, the report highlights the resurgence in phishing attacks as the top initial attack vector last year. Vulnerability exploitation was right behind phishing as the number two attack vector, while the number of disclosed vulnerabilities continues to surge to record highs. The vulnerability in Apache Log4j was quickly exploited after it was discovered in December, showing the capability of threat actors to jump on newly disclosed security vulnerabilities to launch their attacks.

Below we go into more detail about these top findings, and provide some key recommendations for combating these threats during a time of constant change.

Download the Report

Ransomware still the top threat

Ransomware was the top attack type in 2021, edging out server access attacks, business email compromise (BEC), data theft and credential harvesting. However, while the volume of ransomware attacks remained consistent year-over-year, the share of attacks detected by IBM Security X-Force that were ransomware declined, dropping from 23% of attacks in 2020 to 21% of attacks in 2021.

The most likely cause for this drop in ransomware was law enforcement action. In October 2021, members of the ransomware group known as REvil were arrested in Russia, and the group apparently went dark or disbanded after that.

REvil was one of the most successful ransomware gangs around before the October shutdown. In 2020, the group made estimated profits of at least $123 million, according to conservative X-Force estimates. In 2021, 37% of all ransomware attacks X-Force observed were from REvil. The group had been in existence at least since April 2019, and with a 31-month lifespan, persisted much longer than the 17-month average X-Force has identified for ransomware groups.

Ransomware as a share of attacks peaked at 33% in June of last year, after the ransomware attack that shut down Colonial Pipeline in May. There is a history of seasonality in ransomware attacks — although more ransomware actors took “time off” in 2021 than in a typical year, perhaps fearing a crackdown, as ransomware plummeted to zero percent of attacks in August. Ransomware bounced back in October, to 25% of attacks, before plunging again to 5% in November, after the REvil takedown. Yet ransomware resurged, rising to a peak of 29% in December, putting this threat’s resilience on display.

Ransomware is definitely not gone, despite high-profile takedowns and arrests. There are just too many attackers out there, affiliates and malware groups looking for big bounties, and we expect to see ransomware bump up again during 2022. What comes after REvil? Will there be a surge in Ryuk, the second most successful ransomware group? It’s difficult to say. Perhaps these groups will rebound or re-emerge under different names. Hopefully, law enforcement action will have even more of an impact going forward, deterring cybercriminals and potential newcomers in the ransomware business.

  • Recommendation: Maturing a zero trust security model, where a breach is assumed and the goal is to increase the difficulty for an attacker to move throughout a network, makes it harder for ransomware to spread through your organization, even after an initial compromise. Limit domain administrator accounts and protect privileged accounts, strictly auditing who is accessing admin accounts and when, and looking for suspicious activity. Secure Active Directory to protect a “gold mine” of passwords for hackers. And restrict common lateral movement pathways through network segmentation where possible.

Manufacturing rises to top targeted industry

Last year saw enormous pressure on global supply chains, due to the pandemic and other factors like a shortage of transportation and delays at ports. Threat actors appeared to recognize the vulnerability of manufacturing organizations, and attackers set their sights on the industry. Manufacturing was the top attacked industry, receiving 23% of attacks, ahead of finance and insurance, which saw 22% of attacks.

Manufacturing’s low tolerance for downtime was likely a factor in its targeting by threat actors. Ransomware actors have leverage since they can cut off manufacturing operations and thereby cut off millions in revenue. This sort of pressure can make manufacturers more willing to pay, and sooner. About 23% of attacks on manufacturing organizations were ransomware, the top attack type against this industry.

BEC attackers likely found manufacturers to be a prime target too because these organizations routinely buy raw materials from overseas providers. As such, they are more accustomed to moving large sums of money through foreign banks, making it easier for cybercriminals to insert themselves into existing workflows and invoices. In some cases we observed, BEC fraud happened with a simple change of account number.

In addition, threats against manufacturing organizations are threats against operational technology (OT). Manufacturing was targeted in 61% of attacks against OT-connected organizations, far more than any other industry.

X-Force observed massive reconnaissance against OT networks in 2021, searching for exploitable communications in industrial networks. Between January and September, X-Force observed a 2,204% rise in reconnaissance against a popular supervisory control and data acquisition (SCADA) messaging protocol, as threat actors may have increased activity searching for targets to ransom or seize control and cause harm.

  • Recommendation: A zero trust security model can help manufacturers deal with attacks, including ransomware, BEC, and SCADA Modbus scanning. Once attackers get in, you need a plan B for stopping them from reaching the most sensitive parts of the network, like Active Directory or OT networks. Organizations can decrease the blast radius by segmenting networks, including segmentation of OT from the rest of IT, and securing vulnerable ports.

Phishing and vulnerability exploitation the top attack vectors

Phishing was the most common initial attack vector — how threat actors initially broke through security defenses to infiltrate organizations. Phishing was used in 41% of attacks that X-Force remediated, surging from 2020 when it was responsible for 33% of attacks. Vulnerability exploitation was close behind, leading to 34% of attacks X-Force observed.

The phishing kits that threat actors use with limited gains generally last for only about a day before the malicious domains are blocked. Often these kits are after account credentials to different online services. They typically leverage news events or imitate popular technology and banking brands, drawing on the original website’s code, look and feel to get past human defenses.

Targeted phishing campaigns that are used in attacks on company networks proved far more successful in 2021. X-Force Red, IBM Security’s team of hackers, found in its simulated phishing campaigns that the average click rate for a targeted phishing campaign was 17.8%. When vishing (voice phishing) phone calls were added to the campaign, the click rate rose to 53.2%, three times as effective.

Several ransomware groups, including REvil, used phishing effectively to gain initial access to networks and used it to stage their attacks throughout 2021.

  • Recommendation: Perimeter defenses and user education are not enough to stop phishing, but they are part of the layers of defense one should have in place. To further mitigate risks, implement several defenses that can help to catch malware or lateral movement quickly should a phishing email slip through. Think about user behavior analytics (UBA), behavioral-based anti-malware detection, endpoint detection and response (EDR), intrusion detection and prevention solutions.

Vulnerability exploitation also continues to pose a meaningful threat. Despite falling from first in 2020 to the second most common attack vector, the number of incidents caused by vulnerability exploitation increased by 33% from 2020 to 2021.

Record numbers of vulnerabilities were discovered in 2021, including a vulnerability in the Kaseya monitoring software that was exploited by REvil in July, and the Log4j (or Log4Shell) vulnerability in Apache’s popular logging library. Threat actors from across the cybercrime and nation-state gamut were so quick to exploit Log4j that it rose to number two on the X-Force top 10 list of most exploited vulnerabilities for the year, despite only being discovered in December 2021. The top vulnerability was a flaw in Microsoft Exchange that allowed attackers to bypass authentication to impersonate an administrator.

These vulnerabilities in popular enterprise applications underscore the challenge organizations face as the attack surface has expanded. The number of exploits — tools that threat actors use to exploit a vulnerability — has also steadily increased, giving attackers a wide array of choices for attacking vulnerabilities in organizations’ software, networks or OT.

  • Recommendation: Refine and mature your vulnerability management system, identifying which vulnerabilities impact your organization most, and prioritize vulnerabilities based on the likelihood they will be exploited. Review patch management procedures, and identify how to deploy security patches in a low-risk fashion. Have a team of dedicated professionals focus on this important task. A zero trust approach that applies the principle of least privilege throughout an enterprise network can also help head off attackers who get in by exploiting vulnerabilities.

Learn more in the X-Force Threat Intelligence Index

There’s much more to learn about the current threat landscape in the X-Force Threat Intelligence Index.

  • All the top attack types and top infection vectors, from ransomware and BEC to phishing and vulnerability exploitation.
  • Analysis of threats against OT and Internet of Things, including the top attack types against OT-connected organizations, and Mozi, the top botnet threatening IoT devices.
  • Top threat actors of 2021, such as the Trickbot gang that uses phishing lures to gain an entry point for ransomware attacks.
  • Trends in malware development, including cybercriminal innovation in different types of Linux malware that helps threat actors evade detection and infiltrate cloud environments, including containers.
  • Geographic trends that show Asia has taken the top spot as the most attacked region in the world, after a spate of attacks on Japan during last summer’s Olympic games.
  • Industry trends highlighting the top attack types in 10 major industries.
  • And recommendations for risk mitigation based on the cumulative expertise of X-Force.

Visit ibm.biz/xforcethreatindex to preview more of the top themes and key stats discussed in the report, and download the full report. Plus, sign up to attend a webinar with the report authors on March 3 for a detailed investigation of the findings and what they mean for organizations defending against threats.

More from Threat Intelligence

Hive0137 and AI-supplemented malware distribution

12 min read - IBM X-Force tracks dozens of threat actor groups. One group in particular, tracked by X-Force as Hive0137, has been a highly active malware distributor since at least October 2023. Nominated by X-Force as having the “Most Complex Infection Chain” in a campaign in 2023, Hive0137 campaigns deliver DarkGate, NetSupport, T34-Loader and Pikabot malware payloads, some of which are likely used for initial access in ransomware attacks. The crypters used in the infection chains also suggest a close relationship with former…

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today