Skip to main content
Each year, IBM Security X-Force—our in-house team of cybersecurity experts and remediators—mines billions of data points to expose today’s most urgent security statistics and trends.
X-Force Threat Intelligence Index 2022
Combating new threats in a time of constant change
This year’s IBM Security X-Force Threat Intelligence Index presents an uncomfortable truth: as businesses, institutions and governments continue to adapt to a fast-changing global market—including hybrid and cloud-based work environments—threat actors remain adept at exploiting such shifts.

Manufacturing becomes the world’s most attacked industry.

1 in 4
attacks on this sector are from ransomware
One purple circle and three blue circles representing that one in four attacks on the manufacturing sector are from ransomware

For the first time in five years, manufacturing outpaced finance and insurance in the number of cyberattacks levied against these industries, extending global supply chain woes. Manufacturers have a low tolerance for downtime, and ransomware actors are capitalizing on operational stressors exacerbated by the pandemic.

Frequency of different attack vectors: 47% vulnerability exploitation, 40% phishing, 7% removable media, and equally, brute force and stolen credentials with 3%.

How They’re Getting in: Top infection vectors for manufacturing

Threat actors understand the critical role manufacturing plays in global supply chains and are seeking to disrupt these organizations.

Malware uses sophisticated new tricks to infiltrate.

Surge in IoT malware activity between Q3 2019 and Q4 2020.

As defenses grow stronger, malware gets more innovative. Attackers are increasingly using cloud-based messaging and storage services to blend into legitimate traffic. And some groups are experimenting with new techniques in encryption and code obfuscation to go unnoticed.

Maintaining properly hardened systems, enacting effective password policies and ensuring policy compliance is critical to maintaining a robust cloud security posture.

In the age of triple extortion, business partners may put you at risk.

Number of stages in a typical ransomware attack. Download the report to see the full attack flow, including definitions.

Triple extortion is an increasingly popular tactic of encrypting and stealing data, while also threatening to expose the data publicly and engage in a distributed denial of service (DDoS) attack against the affected organization unless a ransom is paid.

A woman works in a cluttered and empty office, representing someone who may be vulnerable to a ransomware attack.

Ransomware gangs are also looking to their primary victim’s business partners to pressure them into paying a ransom to prevent their own data leakages or business disruptions caused by a ransomware attack.

Triple extortion is particularly problematic because the victims’ networks are held hostage with two kinds of malicious attacks, and they are further victimized by the theft and leakage of data.

Multi-factor authentication shows promising signs of success.

Percentage of attacks in Latin America that were business email compromise attacks. That percentage in 2019? Zero.
A woman works on her smartphone in her garage, representing how multi-factor authentication provides security anywhere.

Multi-factor authentication (MFA) can decrease the risk of several different types of attack, including ransomware, data theft, business email compromise (BEC) and server access. But BEC is rising in regions where MFA is seemingly less common, like Latin America.

X-Force research confirms that zero trust principles can decrease organizations’ susceptibility to BEC. Identity and access management technologies are making MFA implementation easier.

Big brands are the big ticket into your organization.

Phishing was 2021’s top infection vector, and the brands that were most imitated in phishing kits are among the largest and most trusted companies: Microsoft, Apple and Google.

Outdoor staircase up to a corporate courtyard.
Percentage of victims who clicked on targeted phishing campaigns that added phone calls (vishing, or voice phishing).

Four out of 10 attacks start with phishing, but X-Force Red, IBM’s global team of red team hackers that break into organizations and uncover risky vulnerabilities, reports that adding vishing (or voice phishing) to a targeted phishing campaign makes the effort three times as effective as a classic phishing campaign.

A well-imitated logo is enough to gain trust. Can your employees spot the difference between a fake email and a real one? About one in five can’t.

Vulnerabilities rise sharply as the Internet of Things expands.

Increase in adversarial reconnaissance activity targeting a popular supervisory control and data acquisition (SCADA) messaging protocol between January and September 2021, as observed by X-Force.

The number of vulnerabilities related to Internet of Things devices increased by 16% year over year, compared to a growth rate of only 0.4% for vulnerabilities overall. For industrial control systems, the rise was even more dramatic at 50%—an elevated risk as threat actors seek to disrupt the manufacturing and energy sectors.

Representation of the number of new vulnerabilities identified between 2011 (7380 cases) and 2021 (19549 cases).

Connectivity Issues: Number of vulnerabilities identified each year since 2011

While industrial organizations are at the greatest risk, any organization using IoT is increasingly exposed to vulnerabilities.

As organizations move to the cloud, attackers follow.

4 out of 5
Number of Linux malware categories (such as ransomware and cryptominers) in which new code increased since the previous year.

Malware targeting Linux environments rose dramatically in 2021—a surge possibly correlated to more organizations moving into cloud-based environments, many of which rely on Linux for their operations.

The exterior of a corporate office building at nighttime, with some half office windows illuminated

A threat actor to know: A gang called LemonDuck caused several compromises observed by X-Force in 2021. LemonDuck malware evolved from cryptomining and has since built a large botnet of compromised devices; it targets both Linux and Windows systems. LemonDuck campaigns capitalize on news events for phishing lures.

The level of new and unique code in Linux malware in 2021 surpassed 2020 levels, highlighting how innovation in Linux malware has made these threats more dangerous.

A single gang initiated 37% of ransomware attacks, an organization’s biggest threat.

17 months
Average lifespan of ransomware gangs before rebranding or disbanding.

Ransomware remains the leading type of attack, although it decreased as a share of overall attacks. Why? Our theory is law enforcement action. The REvil operation accounted for a whopping 37% of ransomware attacks that X-Force remediated last year before the gang shut down in October 2021. Members of the gang were arrested, but many ransomware groups that disband later reemerge under new names. The frequency of ransomware attacks tends to shift throughout the year, often increasing in May and June. Ransomware attacks appear to decrease in late summer or early fall, with January having the least amount of activity.

Representation of the number of months a ransomware gang existed before rebranding - DoppelPaymer 26 months, Grief 8 months, GandCrab 17 months, REvil 31 months, Maze 19 months and Egregor with 6 months.

Malfeasant Makeovers: Notable ransomware gang rebrands

Have a ransomware response plan, backups and an alternate location for critical business operations during remediation. Consider if or when you might ever pay a ransom.