Sophos Labs report: Ransomware attacks will escalate in 2022

You’ve been hearing it every January for the last decade: The coming year will see a continued escalation of ransomware attacks. But these past 12 months have been different.

Ransomware gangs have taken their attacks to a dangerous new level in recent months, targeting ubiquitous software used by business, government agencies and critical infrastructure and revealing multiple vulnerabilities in the software supply chain.

Among them was the SolarWinds attack, discovered this time last year. In May, a ransomware attack crippled the Colonial Pipeline for nearly a week, sending millions along the U.S. East Coast scrambling for gas. Also in May, the JBS meat packing company, which supplies more than one-fifth of all beef in the United States, was forced to halt operations after its plants were pushed offline. In July, the networks of at least 200 U.S. companies were paralyzed when the REvil ransomware syndicate attacked software supplier Kaseya.

SophosLabs, the Sophos Managed Threat Response team and the SophosAI data science group have been helping their customers fight such attacks throughout 2021. Their response is covered in detail within the 2022 Threat Report Sophos released in November.

The report represents the collective wisdom of Sophos’ malware analysts, the machine and network forensics specialists and machine learning experts that make up these core teams within the company and offers analysis of the events that transpired in 2021 and how those events will help shape the threat landscape in 2022 and beyond. It’s organized into five parts:

  1. The ransomware epidemic and its aftermath
  2. Trends in conventional malware that targets Windows computers
  3. Malware on mobile platforms
  4. Security threats to infrastructure
  5. Artificial intelligence and how it applies to the practice of information security

Key takeaways

  • Ransomware accounted for nearly 80% of Sophos Rapid Response’s engagements, followed by attacks involving Cobalt Strike (6%), Mac malware (5%), web shells (4%), data exfiltration (3%) and crypto miners (3%).
  • The Conti and REvil ransomware families pioneered and developed the ransomware-as-a-service business model, where a small team of developers built the ransomware itself, and a larger group of affiliates acted as the delivery mechanism, actively breaking into networks by any means available: brute-force attacks against internet-facing services; exploits of vulnerable software; and occasionally by obtaining legitimate credentials from initial access brokers, a type of criminal service provider.
  • Tools like Cobalt Strike were most frequently a component of the kinds of hands-on-keyboards attacks preferred by ransomware groups.
  • Threat actors take advantage of a wide variety of commercial software and utilities designed for IT administrators or security professionals.


To reduce these ongoing threats, Sophos has been recommending that organizations:

  • Ensure they have robust ransomware and malware protection in place
  • Remain vigilant about emerging vulnerabilities on Internet-facing software products they operate on their networks.
  • Shift some products to vendor-hosted software-as-a-service, which can mitigate some of these risks, as vendors typically patch vulnerabilities in their own deployments of software faster than they can be deployed by on-premises customers.
  • Fully deploy malware protection on servers and endpoint devices
  • Monitor products to catch attacks that trigger detections or alerts before an attacker with administrative access can defeat protections.
  • Have effective data backup practices and business continuity plans, regardless of their size, to ensure that they can survive attacks.

Download the report here.

Bill Brenner

InfoSec content strategist, researcher, director, tech writer, blogger and community builder. Senior Vice President of Audience Content Strategy at CyberRisk Alliance.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.