2022 Security Report: Software Vendors saw 146% Increase in Cyber Attacks in 2021, marking Largest Year-on-Year Growth

January 26, 2022

Check Point Research’s (CPR) 2022 Security Report details the primary attack vectors and techniques witnessed by CPR during 2021. From supply chain attacks to ransomware, organizations experienced 50% more weekly cyber attacks than in 2020. Key highlights from the report include the return of Emotet, cracks in the ransomware ecosystem and vulnerabilities in cloud services. Software vendors saw the largest year-on-year growth (146%) in 2021. CPR emphasizes the need for more cohesive security following December’s Log4J exploits and recent REvil arrests.

  • Education/Research sector was the most attacked industry, averaging 1605 weekly attacks, marking a 75% increase
  • Botnets were the leading attack category worldwide, then infostealers and cryptominers
  • Cyberattacks against corporate networks increased by 50% in 2021 compared to 2020

The report reveals the key attack vectors and techniques witnessed by CPR during 2021.

Download the full report 

Key Numbers

  • Overall in 2021, organizations experienced 50% more weekly cyber-attacks than in 2020.
  • Cyber-attacks against the top 16 industries increased by an average of 55%
  • Education/Research sector’s 1,605 weekly attacks taking the lead (75% increase)
  • Government/Military saw an average of 1,136 weekly attacks (47% increase)
  • Communications saw an average of 1,079 weekly attacks (51% increase)
  • Software vendors experienced the largest year-on-year growth (146%)

Key Highlights

  • Supply chain attacks: the infamous SolarWinds attack laid the foundations for a supply chain attack frenzy. 2021 saw numerous sophisticated attacks such as Codecov in April and Kaseya in July, concluding with the Log4j vulnerability that was exposed in December. The striking impact achieved by this one vulnerability in an open-source library demonstrates the immense inherent risk in software supply chains.
  • Cyber-attacks disrupting everyday life: 2021 saw an increase in attacks targeting critical infrastructure which led to huge disruption to individuals’ day-to-day lives, and in some cases even threatened their sense of physical security.
  • Cloud services under attack: Cloud provider vulnerabilities became much more alarming in 2021 than they were previously. The vulnerabilities exposed throughout the year have allowed attackers, for varying timeframes, to execute arbitrary code, escalate to root privileges, access mass amounts of private content and even cross between different environments.
  • Developments in the mobile landscape: Throughout the year, threat actors have increasingly used smishing (SMS phishing) for malware distribution and have invested substantial efforts in hacking social media accounts to obtain access to mobile devices. The continued digitization of the banking sector in 2021 led to the introduction of various apps designed to limit face-to-face interactions, and those in turn have led to the distribution of new threats.
  • Cracks in the ransomware ecosystem: Governments and law enforcement agencies changed their stance on organized ransomware groups in 2021, turning from preemptive and reactive measures to proactive offensive operations against the ransomware operators, their funds and supporting infrastructure. The major shift happened following the Colonial Pipeline incident in May which made the Biden administration realize they had to step up efforts to combat this threat.
  • Return of Emotet: One of the most dangerous and infamous botnets in history, is back. Since Emotet’s November return, CPR found the malware’s activity to be at least 50% of the level seen in January 2021, shortly before its initial takedown. This rising trend continued throughout December with several end-of-year campaigns, and is expected to continue well into 2022, at least until the next takedown attempt.

In a year that began with the fallout from one of the most devastating supply chain attacks in history, we’ve seen threat actors grow in confidence and sophistication. This culminated in the Log4j vulnerability exploit which, yet again, caught the security community off-guard and brought to the fore the sheer level of risk inherent in software supply chains. In the months between, we saw cloud services under attack, threat actors increasing their focus on mobile devices, the Colonial Pipeline held to ransom, and the resurgence of one of the most dangerous botnets in history. But it’s not all doom and gloom. We also saw cracks in the ransomware ecosystem widen in 2021, as governments and law enforcement agencies around the world resolved to take a tougher stance on ransomware groups in particular. Instead of relying on reactive and remedial action, some shocking events woke governments up to the fact that they needed to take a more proactive approach to dealing with cyber risk. That same philosophy extends to businesses too, who can no longer afford to take a disjointed, siloed, reactionary approach to dealing with threats. They need 360-degree visibility, real-time threat intelligence, and a security infrastructure that can be mobilized in an effective, joined-up manner.

The recent arrests made in Russia of the REvil ransomware gang is a unique event in the history of cyber as it is the first time that the US Administration has collaborated with the Russian authorities to track down and arrest members of a ransomware group. Coming about one year after the Emotet group was taken down there are some key differences and one worrying similarity. First, on this occasion, actual arrests of the ringleaders have been made and assets have been seized like high performance cars large amounts of cash and crypto currency. However, you cannot arrest code. It only takes one or two members or affiliates of the gang to escape with the key attack tools for REvil to re-merge at a later date, possibly in another country. We can only hope this is not the case. The main positive take from this situation is that any ransomware gang that thought Russia was a ‘safe haven’ for them to practice their malicious trade will have to think again. This comes on the back of Ukraine closing down similar ransomware gangs in that country. It’s certainly not the end of ransomware, but every measure that governments can take, by sharing intelligence, to restrict such criminal activity is to be welcomed.



Download the full report 




  • Check Point Research Publications
  • Global Cyber Attack Reports
  • Threat Research
February 17, 2020

“The Turkish Rat” Evolved Adwind in a Massive Ongoing Phishing Campaign

  • Check Point Research Publications
August 11, 2017

“The Next WannaCry” Vulnerability is Here

  • Check Point Research Publications
January 11, 2018

‘RubyMiner’ Cryptominer Affects 30% of WW Networks