Manufacturing emerged as the most targeted sector when it came to cyberattacks through 2021, while ransomware and vulnerability exploitations combined to “imprison” businesses, heavily burdening global supply chains.


The assessments surface from IBM’s X-Force Threat Intelligence Index, which identified phishing as the most common cause of cyberattacks through the last year.

Also observed was a 33% rise in attacks caused by vulnerability exploitation of unpatched software, a point of entry that ransomware actors relied on more than any other to carry out their attacks in 2021, representing the cause of 44% of ransomware attacks.

The 2022 report details how in 2021 ransomware actors attempted to “fracture” the backbone of global supply chains with attacks on manufacturing, which became 2021’s most attacked industry (23%), dethroning financial services and insurance after a long reign.

Experiencing more ransomware attacks than any other industry, attackers wagered on the ripple effect that disruption on manufacturing organisations would cause their downstream supply chains to pressure them into paying the ransom.

Alarmingly, almost half (47%) of attacks on manufacturing were caused due to vulnerabilities that victim organisations had not yet or could not patch, highlighting the need for organisations to prioritise vulnerability management.

The study mapped new trends and attack patterns observed and analysed from fresh data – drawing from billions of data-points ranging from network and endpoint detection devices, incident response engagements, phishing kit tracking and more.

Ransomware persisted as the top attack method observed in 2021, with ransomware groups showing no sign of stopping, despite the uptick in ransomware takedowns. According to the 2022 report, the average lifespan of a ransomware group before shutting down or rebranding is 17 months.

Experts also noted warning signs of a brewing cyber-storm in the cloud as cybercriminals lay the groundwork to target migrated environments. The study revealed a 146% surge in new Linux ransomware code and a shift to Docker-focused targeting, potentially making it easier for more threat actors to leverage cloud environments for malicious purposes.

The “nine lives” of ransomware groups

Responding to the recent acceleration of ransomware takedowns by law enforcement, ransomware groups may be activating their own disaster recovery plans. Analysis reveals that the average lifespan of a ransomware group before shutting down or rebranding is 17 months. For example, REvil which was responsible for 37% of all ransomware attacks in 2021, persisted for four years through rebranding, suggesting the likelihood it resurfaces again despite its takedown by a multi-government operation in mid 2021.

While law enforcement takedowns can slow down ransomware attackers, they are also burdening them with the expenses required to fund their rebranding or rebuild their infrastructure.

As the playing field changes, it’s important that organisations modernise their infrastructure to place their data in an environment that can help safeguard it – whether that be on-premises or in clouds. This can help businesses manage, control, and protect their workloads, and remove threat actors’ leverage in the event of a compromise by making it harder to access critical data in hybrid cloud environments.

PrivSec Global

PrivSec Global has long united experts from both privacy and security, providing a forum where professionals from across these fields can listen, learn, and debate.

Catch-up and watch every session on-demand

Attackers target common grounds among clouds

In 2021, more attackers were observed shifting their targeting to containers like Docker – by far the most dominant container runtime engine according to RedHat. Attackers recognise that containers are common grounds amongst organisations so they are doubling down on ways to maximize their ROI with malware that can cross platforms and can be used as a jumping off point to other components of their victims’ infrastructure.

The report also sent out a note of caution with regards threat actors’ continued investment into unique, previously unobserved, Linux malware, with data provided by Intezer revealing a 146% increase in Linux ransomware that has new code.

As attackers remain steady in their pursuit of ways to scale operations through cloud environments, businesses must focus on extending visibility into their hybrid infrastructure. Hybrid cloud environments that are built on interoperability and open standards can help organisations detect blind spots and accelerate and automate security responses.

Also of note, Asia was cited as chief target of cyberattacks globally, experiencing a quarter of all strikes – more than any other world zone through the past year. Financial services and manufacturing organisations together experienced nearly 60% of attacks in Asia.

Phishing was the most common cause of cyberattacks over the prescribed time period. In X-Force Red’s penetration tests, the click rate in its phishing campaigns tripled when combined with phone calls.

Charles Henderson, Head of IBM X-Force, said:

“Cybercriminals usually chase the money. Now with ransomware they are chasing leverage. Businesses should recognise that vulnerabilities are holding them in a deadlock – as ransomware actors use that to their advantage. This is a non-binary challenge.

“The attack surface is only growing larger, so instead of operating under the assumption that every vulnerability in their environment has been patched, businesses should operate under an assumption of compromise, and enhance their vulnerability management with a zero-trust strategy,” Henderson added.