Skip to main content
Each year, IBM Security X-Force—our in-house team of cybersecurity experts and remediators—mines billions of data points to expose today’s most urgent security statistics and trends.
X-Force Threat Intelligence Index 2022
Combating new threats in a time of constant change
This year’s IBM Security X-Force Threat Intelligence Index presents an uncomfortable truth: as businesses, institutions and governments continue to adapt to a fast-changing global market—including hybrid and cloud-based work environments—threat actors remain adept at exploiting such shifts.
Download the full report (3.8 MB)
X-Force Threat Intelligence Index 2022Download the full report (3.8 MB)

Manufacturing becomes the world’s most attacked industry.

About
1 in 4
attacks on this sector are from ransomware
One purple circle and three blue circles representing that one in four attacks on the manufacturing sector are from ransomware

For the first time in five years, manufacturing outpaced finance and insurance in the number of cyberattacks levied against these industries, extending global supply chain woes. Manufacturers have a low tolerance for downtime, and ransomware actors are capitalizing on operational stressors exacerbated by the pandemic.

Frequency of different attack vectors: 47% vulnerability exploitation, 40% phishing, 7% removable media, and equally, brute force and stolen credentials with 3%.

How They’re Getting in: Top infection vectors for manufacturing

Takeaway
Threat actors understand the critical role manufacturing plays in global supply chains and are seeking to disrupt these organizations.

Malware uses sophisticated new tricks to infiltrate.

3000%
Surge in IoT malware activity between Q3 2019 and Q4 2020.

As defenses grow stronger, malware gets more innovative. Attackers are increasingly using cloud-based messaging and storage services to blend into legitimate traffic. And some groups are experimenting with new techniques in encryption and code obfuscation to go unnoticed.

Takeaway
Maintaining properly hardened systems, enacting effective password policies and ensuring policy compliance is critical to maintaining a robust cloud security posture.

In the age of triple extortion, business partners may put you at risk.

5
Number of stages in a typical ransomware attack. Download the report to see the full attack flow, including definitions.

Triple extortion is an increasingly popular tactic of encrypting and stealing data, while also threatening to expose the data publicly and engage in a distributed denial of service (DDoS) attack against the affected organization unless a ransom is paid.

A woman works in a cluttered and empty office, representing someone who may be vulnerable to a ransomware attack.

Ransomware gangs are also looking to their primary victim’s business partners to pressure them into paying a ransom to prevent their own data leakages or business disruptions caused by a ransomware attack.

Takeaway
Triple extortion is particularly problematic because the victims’ networks are held hostage with two kinds of malicious attacks, and they are further victimized by the theft and leakage of data.

Multi-factor authentication shows promising signs of success.

20%
Percentage of attacks in Latin America that were business email compromise attacks. That percentage in 2019? Zero.
A woman works on her smartphone in her garage, representing how multi-factor authentication provides security anywhere.

Multi-factor authentication (MFA) can decrease the risk of several different types of attack, including ransomware, data theft, business email compromise (BEC) and server access. But BEC is rising in regions where MFA is seemingly less common, like Latin America.

Takeaway
X-Force research confirms that zero trust principles can decrease organizations’ susceptibility to BEC. Identity and access management technologies are making MFA implementation easier.

Big brands are the big ticket into your organization.

Phishing was 2021’s top infection vector, and the brands that were most imitated in phishing kits are among the largest and most trusted companies: Microsoft, Apple and Google.

Outdoor staircase up to a corporate courtyard.
>50%
Percentage of victims who clicked on targeted phishing campaigns that added phone calls (vishing, or voice phishing).

Four out of 10 attacks start with phishing, but X-Force Red, IBM’s global team of red team hackers that break into organizations and uncover risky vulnerabilities, reports that adding vishing (or voice phishing) to a targeted phishing campaign makes the effort three times as effective as a classic phishing campaign.

Takeaway
A well-imitated logo is enough to gain trust. Can your employees spot the difference between a fake email and a real one? About one in five can’t.

Vulnerabilities rise sharply as the Internet of Things expands.

2204%
Increase in adversarial reconnaissance activity targeting a popular supervisory control and data acquisition (SCADA) messaging protocol between January and September 2021, as observed by X-Force.

The number of vulnerabilities related to Internet of Things devices increased by 16% year over year, compared to a growth rate of only 0.4% for vulnerabilities overall. For industrial control systems, the rise was even more dramatic at 50%—an elevated risk as threat actors seek to disrupt the manufacturing and energy sectors.

Representation of the number of new vulnerabilities identified between 2011 (7380 cases) and 2021 (19549 cases).

Connectivity Issues: Number of vulnerabilities identified each year since 2011

Takeaway
While industrial organizations are at the greatest risk, any organization using IoT is increasingly exposed to vulnerabilities.

As organizations move to the cloud, attackers follow.

4 out of 5
Number of Linux malware categories (such as ransomware and cryptominers) in which new code increased since the previous year.

Malware targeting Linux environments rose dramatically in 2021—a surge possibly correlated to more organizations moving into cloud-based environments, many of which rely on Linux for their operations.

A wide shot of the exterior of a corporate office building at nighttime, with some half office windows illuminated.

A threat actor to know: A gang called LemonDuck caused several compromises observed by X-Force in 2021. LemonDuck malware evolved from cryptomining and has since built a large botnet of compromised devices; it targets both Linux and Windows systems. LemonDuck campaigns capitalize on news events for phishing lures.

Takeaway
The level of new and unique code in Linux malware in 2021 surpassed 2020 levels, highlighting how innovation in Linux malware has made these threats more dangerous.

A single gang initiated 37% of ransomware attacks, an organization’s biggest threat.

17 months
Average lifespan of ransomware gangs before rebranding or disbanding.

Ransomware remains the leading type of attack, although it decreased as a share of overall attacks. Why? Our theory is law enforcement action. The REvil operation accounted for a whopping 37% of ransomware attacks that X-Force remediated last year before the gang shut down in October 2021. Members of the gang were arrested, but many ransomware groups that disband later reemerge under new names. The frequency of ransomware attacks tends to shift throughout the year, often increasing in May and June. Ransomware attacks appear to decrease in late summer or early fall, with January having the least amount of activity.

Representation of the number of months a ransomware gang existed before rebranding - DoppelPaymer 26 months, Grief 8 months, GandCrab 17 months, REvil 31 months, Maze 19 months and Egregor with 6 months.

Malfeasant Makeovers: Notable ransomware gang rebrands

Takeaway
Have a ransomware response plan, backups and an alternate location for critical business operations during remediation. Consider if or when you might ever pay a ransom.
Download the full report (3.8 MB)Talk with an Expert

IBM Security X-Force

IBM Security X-Force is a threat-centric team of hackers, responders, researchers and analysts. Our portfolio includes offensive and defensive products and services, fueled by a 360-degree view of threats. With X-Force as your security partner, you can affirm with confidence that the likelihood and impact of a data breach are minimal.


IBM Security X-Force Threat Intelligence combines IBM security operations telemetry, research, incident response investigations, commercial data, and open sources to aid clients in understanding emerging threats and quickly making informed security decisions.


Additionally, the X-Force Incident Response team provides detection, response, remediation, and preparedness services to help you minimize the impact of a data breach.


X-Force combined with the IBM Security Command Center experiences trains your team—from analysts to the C-suite—to be ready for the realities of today's threats. X-Force Red, IBM Security’s team of hackers, provides offensive security services, including penetration testing, vulnerability management, and adversary simulation.


Throughout the year, IBM X-Force researchers also provide ongoing research and analysis in the form of blogs, white papers, webinars and podcasts, highlighting our insight into advanced threat actors, new malware, and new attack methods. In addition, we provide a large body of current, cutting-edge analysis to subscription clients through our X-Force Threat Intelligence solutions.


IBM Security

IBM Security works with you to help protect your business with an advanced and integrated portfolio of enterprise security products and services—infused with AI and a modern approach to your security strategy using zero trust principles—helping you thrive in the face of uncertainty. By aligning your security strategy to your business; integrating solutions designed to protect your digital users, assets and data; and deploying technology to manage your defenses against growing threats, we help you to manage and govern risk that supports today’s hybrid cloud environments with the QRadar XDR threat detection and response suite.


Our new modern, open approach, the IBM Cloud Pak for Security platform, is built on RedHat Open Shift and supports today’s hybrid multicloud environments with an extensive partner ecosystem. Cloud Pak for Security is an enterprise-ready containerized software solution that enables you to manage the security of your data and applications by quickly integrating your existing security tools to generate deeper insights into threats across hybrid cloud environments, leaving your data where it is and allowing easy orchestration and automation of your security response.


Download the full report (3.8 MB)Talk with an Expert

  • IBM Security X-Force is a threat-centric team of hackers, responders, researchers and analysts. Our portfolio includes offensive and defensive products and services, fueled by a 360-degree view of threats. With X-Force as your security partner, you can affirm with confidence that the likelihood and impact of a data breach are minimal.


    IBM Security X-Force Threat Intelligence combines IBM security operations telemetry, research, incident response investigations, commercial data, and open sources to aid clients in understanding emerging threats and quickly making informed security decisions.


    Additionally, the X-Force Incident Response team provides detection, response, remediation, and preparedness services to help you minimize the impact of a data breach.


    X-Force combined with the IBM Security Command Center experiences trains your team—from analysts to the C-suite—to be ready for the realities of today's threats. X-Force Red, IBM Security’s team of hackers, provides offensive security services, including penetration testing, vulnerability management, and adversary simulation.


    Throughout the year, IBM X-Force researchers also provide ongoing research and analysis in the form of blogs, white papers, webinars and podcasts, highlighting our insight into advanced threat actors, new malware, and new attack methods. In addition, we provide a large body of current, cutting-edge analysis to subscription clients through our X-Force Threat Intelligence solutions.


  • IBM Security works with you to help protect your business with an advanced and integrated portfolio of enterprise security products and services—infused with AI and a modern approach to your security strategy using zero trust principles—helping you thrive in the face of uncertainty. By aligning your security strategy to your business; integrating solutions designed to protect your digital users, assets and data; and deploying technology to manage your defenses against growing threats, we help you to manage and govern risk that supports today’s hybrid cloud environments with the QRadar XDR threat detection and response suite.


    Our new modern, open approach, the IBM Cloud Pak for Security platform, is built on RedHat Open Shift and supports today’s hybrid multicloud environments with an extensive partner ecosystem. Cloud Pak for Security is an enterprise-ready containerized software solution that enables you to manage the security of your data and applications by quickly integrating your existing security tools to generate deeper insights into threats across hybrid cloud environments, leaving your data where it is and allowing easy orchestration and automation of your security response.