There was a significant increase in ransomware-related data leaks and interactive intrusions in 2021, according to the 2022 Global Threat Report released on Tuesday by endpoint security firm CrowdStrike.
The number of ransomware attacks that led to data leaks increased from 1,474 in 2020 to 2,686 in 2021, which represents an 82% increase. The sectors most impacted by data leaks in 2021 were industrial and engineering, manufacturing, and technology.
“The growth and impact of [big game hunting] in 2021 was a palpable force felt across all sectors and in nearly every region of the world. Although some adversaries and ransomware ceased operations in 2021, the overall number of operating ransomware families increased,” CrowdStrike said in its report.
[ READ: Swissport Investigating Ransomware Group’s Data Leak Claims ]
As for interactive intrusions, which involve hands-on-keyboard activity, CrowdStrike saw a 45% increase in 2021, with 62% of attacks involving no malware, only hands-on activity. Nearly half of interactive intrusions were conducted by profit-driven cybercriminals — the cybersecurity firm calls it eCrime activity.
In these eCrime attacks, the average breakout time — the time it took the attacker to move laterally from the initially compromised system to another host within the victim’s network — was 1 hour and 38 minutes.
CrowdStrike added 21 new named adversaries to its database last year and the company now tracks a total of more than 170 threat groups.
The company’s report highlights disruptive operations linked to Iran, with threat actors and activity clusters using “lock-and-leak” tactics to target organizations in the United States, Israel and the MENA region.
“Lock-and-leak operations are characterized by criminal or hacktivist fronts using ransomware to encrypt target networks and subsequently leak victim information via actor-controlled personas or entities,” CrowdStrike explained. “Since they inauthentically operate as a criminal or hacktivist entity, these types of operations conduct activity beneath a veneer of deniability. Through the use of dedicated leak sites, social media and chat platforms, these actors are able to amplify data leaks and conduct [information operations] against target countries.”
The report also highlights China-linked activity, with China being named the “leader in vulnerability exploitation.” The number of new security flaws exploited by Chinese threat actors in 2021 was 12, six times higher than in 2020.
While it’s not uncommon for Chinese threat actors to develop exploits for their targeted intrusions, they have typically leveraged exploits requiring user interaction, such as opening malicious documents or accessing websites hosting malicious code. However, in 2021, they appeared to shift focus to security holes affecting internet-facing devices or services.
The complete 2022 Global Threat Report (PDF) is available on CrowdStrike’s website.
Related: Russian State-Sponsored Hackers Are Fastest: CrowdStrike
Related: Telecom Sector Increasingly Targeted by Chinese Hackers: CrowdStrike

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Zyxel Firewalls Hacked by Mirai Botnet
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
- Drop in Insider Breaches Drives Decline in Intrusions at OT Organizations
- Zero-Day Vulnerability Exploited to Hack Barracuda Email Security Gateway Appliances
- OAuth Vulnerabilities in Widely Used Expo Framework Allowed Account Takeovers
- New Honeywell OT Cybersecurity Solution Helps Identify Vulnerabilities, Threats
- Rheinmetall Says Military Business Not Impacted by Ransomware Attack
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
