This year's IBM Security X-Force Threat Intelligence Index reveals an uncomfortable truth:as businesses, institutions and governments continue to adapt to a fast-changing global market — including hybrid and cloud-based work environments — threat actors remain adept at exploiting such shifts.

The IBM Security X-Force Threat Intelligence Index maps emerging trends and attack patterns that have been observed and analysed using data gathered by IBM. This included billions of data points from network and endpoint detection devices, incident response (IR) deployments, domain name tracking and more. The report represents the culmination of this research, based on data collected from January to December 2021.


  • Most frequent attack type:
    Ransomware was again the most common attack type in 2021. However, the percentage of ransomware attacks resolved by X-Force decreased by 9% compared to the previous year. REvil, a ransomware group also known as Sodinokibi, was the most common ransomware threat, accounting for 37% of all ransomware attacks, followed by Ryuk at 13%. Law enforcement efforts may explain the decline in ransomware and IoT botnet attacks in 2021, but this by no means rules out a possible resurgence in 2022.

  • Supply chain vulnerabilities:
    Supply chain security moved to the centre of government and political attention as Biden's government issued an executive order on cybersecurity and the US Department of Homeland Security, CISA and NIST duplicated zero-trust guidelines. These guidelines primarily highlight vulnerabilities and trusted relationships. Vulnerability exploitation has been the main attack vector in the manufacturing industry. An industry that particularly struggles with the impact of supply chain pressures and delays.

  • Most phished brands:
    Research by X-Force has found that Microsoft, Apple and Google are the top three brands that criminals try to impersonate. These mega-brands have been used repeatedly in phishing kits. Attackers are trying to capitalise on the popularity and trust that many consumers place in these brands.

  • Top threat groups:
    Suspected Iranian threat actor ITG17 (MuddyWater), cybercriminal group ITG23 (Trickbot) and Hive0109 (LemonDuck) were some of the most active threat groups X-Force analysts observed in 2021. Threat groups around the world were looking to improve their capabilities and infiltrate more businesses. The malware they used was, in some cases, hosted on cloud-based messaging and storage platforms to bypass security controls. These platforms were abused to hide command and control communications in legitimate network traffic. Threat actors also continued to develop Linux versions of malware to facilitate the transition to cloud environments.

The most important key figures

The average time before a ransomware group renames itself or disbands is 17 months. REvil, one of the most successful gangs, was shut down in October 2021 after an above-average 31 months. The main target in 2021 is the manufacturing industry. For the first time in five years, manufacturing has overtaken finance and insurance in the number of cyberattacks. This continues to hugely exacerbate problems in the global supply chain. Manufacturers have a low tolerance for downtime, and ransomware attackers are taking advantage of operational stressors exacerbated by the pandemic. Other Key Stats:

Bildschirmfoto 2022-03-24 um 09.39.27.pngRansomware share of cyber attacks
Ransomware was the most common type of attack observed by X-Force last year, falling to 21% of attacks from 23% the previous year. REvil ransomware actors (aka Sodinokibi) were responsible for 37% of all ransomware attacks.
imagePercentage of attacks that used phishing for initial access
Phishing attacks were the most common route to compromise in 2021, with 41% of incidents remediated by X-Force using this technique to gain initial access.
Bildschirmfoto 2022-03-24 um 09.44.22.pngAIncrease in the number of incidents that occurred through exploitation of vulnerabilities from 2020 to 2021.
Four of the top five vulnerabilities exploited in 2021 were new vulnerabilities, including the Log4j vulnerability CVE-2021-44228.

Geographical development

For the first time, Asia is the most attacked region in 2021. Asia accounted for 26% of the attacks observed by X-Force last year. In particular, a number of attacks on Japan - possibly related to the Summer Olympics held in Japan in 2021 - appear to have contributed to this attack trend. Japan, Australia and India were the most attacked countries in Asia.

Europe and North America followed closely behind with 24% and 23% of attacks respectively, while the Middle East and Africa and Latin America recorded 14% and 13% of attacks respectively. The United Kingdom, Italy and Germany were the most attacked countries in Europe. Saudi Arabia, the United Arab Emirates and South Africa were the most attacked countries in the Middle East and Africa region. Brazil, Mexico and Peru were the most targeted countries in Latin America.

Bildschirmfoto 2022-03-24 um 10.05.24.png

Recommended actions

The following specific actions can be taken by organisations to better protect their networks against the threats described in this report.

  1. Develop a response plan for ransomware.
    Every industry and every region is at risk of a ransomware attack. How the team responds at the moment of the attack and afterwards can make all the difference in terms of time and money lost.

  2. Implementierung einer Multifaktor-Authentifizierung an jedem Fernzugriffspunkt in einem Netzwerk.
    X-Force observed that MFA has been implemented by organisations more successfully than ever before. This is changing the threat landscape and forcing threat actors to find new ways to compromise networks instead of using previously stolen credentials.

  3. Apply a layered approach to combat phishing.
    Unfortunately, there is currently no single tool or solution that can prevent all phishing attacks. Threat actors also continue to improve social engineering and anti-malware detection techniques to circumvent controls. Therefore, implementing multiple layers of solutions that, in aggregate, have a higher chance of intercepting phishing emails is recommended.

  4. Refining and optimising the vulnerability management system.
    Implementing a team dedicated to vulnerability management and solidly resourcing and supporting this task force can make all the difference in protecting the corporate network from the potential exploitation of security vulnerabilities.

IBM Security X-Force is a threat-centric team of hackers, responders, researchers and analysts. Their portfolio includes offensive and defensive products and services based on a 360-degree view of threats.missions.