Skip to Main ContentSkip to Footer
Report

2022 State of the Threat Report

Cyber threats have taken over 2022 and they show no sign of stopping. In this report, we explore some of the most recent, hard-hitting cyberattacks.

2022 State of the Threat: A Year in Review

Secureworks Research Exposes the Stories Behind the Headlines

2022 Stateof the Threat

Get the Report

All fields are required.
Access Now
 

Read the report that will walk you through the most notable and formidable threats we’ve faced in 2022.

In 2022, ransomware remained the most prevalent form of attack. In investigations by Secureworks® incident responders, the median time between initial access and ransomware detonation dropped to 4.5 days in 2022, compared to 5 days in 2021. Meanwhile, nation-state dynamics like those observed in conflicts between Russia and Ukraine shifted rapidly.

And that’s just the tip of the iceberg.

With so many sophisticated threats developing, Secureworks is more committed than ever to providing the most up-to-date threat intelligence to its customers and to organizations looking to build long-term security maturity.

Secureworks Counter Threat Unit™ (CTU) researchers have noted a general trend: the size of organizations falling victim to these threats is growing smaller over time. Smaller organizations are likely to be less well-resourced, making them a softer target and one that is less likely to bring in specialist incident response services after the event.

This detection window is critical for network defenders to exploit. On numerous occasions, Secureworks Taegis™ XDR countermeasures have alerted customers to ransomware precursors in their environment, allowing them to isolate impacted hosts, block the command-and-control infrastructure, and reset compromised credentials before threat actors can capitalize on access.

However, ransomware is far from the only threat plaguing businesses. As companies work to solidify their defenses, adversaries do everything in their power to circumvent them.

Read our comprehensive report to understand key findings and recommendations your organization can take to counter threats.

4.5 Days

Median ransomware detection window between initial access and deployment

2+ Million

Number of infostealer-sourced credentials for sale on one day in one underground marketplace

52%

Percentage of initial access vectors from exploitation of remote services

Key Findings from State of the Threat

  • This 40+ page report comprehensively examines cybersecurity events from the end of June 2021 through June 2022. These events have been heavily influenced by escalating tensions in eastern Europe and the Middle East, a steady stream of critical vulnerabilities, and public leaks exposing the inner workings of organized cybercriminal ransomware gangs.
  • Based on insights from customer telemetry, incident response, underground monitoring, proactive threat research and intelligence relationships, CTU™ researchers observed the following high-level trends across the threat landscape:
01

Ransomware remains the number one threat for most organizations

02

Lightweight, disposable malware loaders emerged in 2022

03

Infostealer malware contributed to the sale of over two million credentials in one marketplace

04

Exploitation of remote services replaced credential-based access as the most common initial access vector

05

Nation-state activity has developed a more regional focus

06

Defense evasion remains unsophisticated — providing valuable detection opportunities

How Secureworks Created State of the Threat

CTU researchers analyze trillions of security events every week, gathered from the Taegis XDR platform. Combined with data processed through Taegis VDR, proactive research, and insights gathered through Secureworks Incident Response engagements, this report represents one of the most comprehensive views of the threat landscape.

Download the report now for a detailed visualization of the threats the CTU team has come across, the intelligence gathered from these engagements, and advice on securing your most valuable business assets.

1,400+

proactive and reactive incident response engagements per year

470B+

events per day processed by Taegis

1,260

combined years of work experience in the CTU team

Download PDF (21 MB)

2024 State of the Threat: A Year in Review

Fortify your defenses by understanding the latest intelligence and top threats facing organizations this year.

2024 State of the Threat

Get the Report

By submitting this form you acknowledge that you have read and understood Sophos Privacy Notice.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
 

The Impact of Cyber Risk in 2024 and Beyond

Cyber risk remains high in 2024, driven by a thriving cybercriminal ecosystem and geopolitical pressures.

This year underscored the resilience of the threat landscape. Despite increased law enforcement efforts and several high-profile takedowns, ransomware remains a significant financial threat, even if the names of the ransomware groups have changed. Geopolitical events in Ukraine, the Middle East, and the South China Sea continue to drive state-sponsored and hacktivist activities, even when some of their techniques and tactics are exposed by Western experts.

Security can never become passive. It requires ongoing vigilance.

Secureworks and our Counter Threat Unit™ (CTU) are committed to arming the security community with the latest intelligence and insights to build security maturity and shore up our global defenses. Throughout the year, Secureworks customers receive the most relevant, up-to-date threat intelligence, ensuring they remain prepared and protected. With global intelligence, the advantage of the Taegis™ XDR platform, and adhering to the fundamentals (e.g., patching, MFA), you too can outpace and outmaneuver the adversary.

Read our complete and comprehensive report to deepen your understanding of the threat landscape with pragmatic recommendations for your business.

30 %

y/y rise in active ransomware threat groups

72%

of initial access vectors in ransomware attacks accounted for by scan-and-exploit and stolen credentials

7 hours

shortest observed ransomware dwell time

 

Global Threat Intelligence Summit 2024

Learn from Secureworks threat experts directly with on-demand recordings and conversations from the 2024 Global Threat Intelligence Summit, where you can engage in even greater insights on today’s most critical threats.

Start watching now

Key Findings: State of the Threat

  • This 70+ page report comprehensively examines cybersecurity events from July 2023 to the end of June 2024. These events reflect the continued evolution of ransomware and other threat tactics, including significant takedowns of core ransomware groups and the subsequent fragmentation and creation of new groups; AiTM and AI as growing threats; and the continued influence of state-sponsored threat groups and hacktivist activity.
  • Based on insights from customer telemetry, incident response, underground monitoring, proactive threat research, and intelligence relationships, CTU™ research observed the following trends in the threat landscape:

March 2024 saw the highest number of ransomware schemes listing victims. Dwell times remain low, with the shortest observed at just under 7 hours.

Scan-and-exploit and stolen credentials remain top IAVs in ransomware attacks, accounting for nearly 72% of known IAVs.

Adversary in the Middle phishing kits are increasingly used to bypass MFA. Using phishing-proof MFA is now vital.

Law enforcement targeting of ransomware groups caused disruption and fragmentation, prompting new threat actor behaviors.

Hacktivists continue to conduct denial of service or web site defacement campaigns against organizations linked to conflict zones.

State-sponsored threat groups use obfuscation networks, LOTL techniques, and commodity tools to frustrate detection and attribution.

Defense basics (MFA, patching, XDR) remain key. One or more were absent in >50% of Secureworks incident response engagements.

AI lends efficiency more than complexity for cybercriminals, boosting the volume and impact of cyberattacks.

What Informs Secureworks State of the Threat

The Secureworks view of the threat landscape comes from a combination of telemetry from the Taegis platform; incident response and Secureworks Adversary Group customer engagements; privileged source intelligence and industry relationships; dark web surveillance; and technical and tactical research conducted by the CTU, including extensive use of botnet emulations.

Download the report now for a detailed visualization of the threat landscape and actionable, pragmatic advice on how to secure your most valuable business assets.

5 Trillion+

event logs processed by Taegis every week of the year

50K

investigations a year via Incident Response and the Taegis platform

Unique

botnet emulation capabilities, giving us a threat actor’s eye view of the threat landscape