The map displays the cyber threat risk index globally, demonstrating the main risk areas around the world.*
Data collected in 2022 shows a continued rise in attacks against all industries. Most targeted are the educational and research institutions, with an average of 2,314 attacks per week per organization, an increase of more than 40% from 2021. Attacks on the healthcare sector registered the highest surge, 74% more attacks than last year, placing it as the third most targeted industry in this index. From hospitals and clinics to research facilities, attackers have been focusing on the healthcare industry since the beginning of the COVID-19 pandemic, seeking financial gain. 89% of healthcare organizations reported cyberattacks within the last year with an average total cost reaching $4.4M. Reported attacks included the CommonSpirit Health, the second largest non-profit hospital chain in the US. CommonSpirit, which operates 140 hospitals, has reported data of more than 600K patients stolen, the attack resulting in medical damage to patients. Hospitals in New York were hit by ransomware in November leaving medical systems down for weeks after the attack. An attack on the Dallas-based Tenet health care cooperation, operating hundreds of medical sites, caused disruption to acute care operations. Among ransomware groups reported to target healthcare organizations are Lockbit, BlackCat, Cuba, Zeppelin and more.
The proportion of email-delivered-attacks has increased, reaching a staggering record of 86% of all file based in-the-wild attacks. Data shows an increase in the utilization of various types of archive file formats, as threat-actors attempt to conceal malicious payloads. Included in password protected archives, the functionality of malware is hidden until they are extracted, making their identification as malicious by security products especially challenging. Zip files are the most commonly used format for this purpose, while in the top malicious archives types we observe also .img and .iso files, since their extraction functionality is integrated in Windows or with very popular tools. Archive files are often used to bypass the mark-of-the-web based protection mechanism.
Data comparisons presented in the following sections of this report are based on data drawn from the Check Point ThreatCloud Cyber Threat Map between January and December 2022.
For each of the regions below, we present the percentage of corporate networks impacted by each malware family, for the most prevalent malware in 2022.
Rising back from its fourth place in Check Point’s 2021 most prevalent malware list, Emotet has regained its position at the top of 2022 table, affecting 10% of all corporate networks. Initially discovered in 2014 as a banking Trojan, Emotet has developed into a significant multipurpose malware, serving as an initial access malware and used by sophisticated Eastern European cyber criminals. Identified as one of the major cyber threats, Emotet was taken down in January 2021, on a global law enforcement operation, only to resurge by the end of that year. On its return Emotet was distributed with Trickbot’s assistance and later deployed large scale spam campaigns with malicious Office documents. Relying heavily on Office macros’ exploitations, Microsoft’s intension to disable VBA macros in documents obtained from the internet was expected to affect Emotet’s distribution. Emotet’s operators prepared for the change, experimenting with alternative file types including .lnk, .xll zip and .iso files. In November, Emotet returned from one of its routine breaks, and went back to its previous weapon of choice – Excel files with malicious macros. To bypass the Mark-of-the-Web limitations, the attached maldocs displayed detailed instructions directing users to copy the files into the trusted “Templates” folder. Emotet continues to use email threads hijacking technique and customizes email content according to the targeted country. Emotet was observed deploying other malware families like IcedID and XMRig on victim system. Other Emotet campaigns in 2022 include a campaign targeting IKEA employees; a US phishing campaign impersonating the IRS during the 2022 tax season and many more. Infostealers occupied a central place in this year’s table, with four of the most commonly used stealers, AgentTesla, Formbook, SnakeKeylogger and LokiBot occupying the top six places in our top malware list.
The popularity of infostealers is connected to the growing market for stolen credentials and their availability to threat actors for relatively low prices. One of the emerging techniques of cyber cybercriminals is using infostealers for widely spread infections that are not specifically focused on corporate networks. After the initial infection, cybercriminals mine the data to identify corporate VPN credentials, which will allow them to get an initial access to corporate networks.