Cybercriminals continue to cause disruption for organizations in 2022. Depending on the cyberattack type, those disruptions lead to various consequences, such as reputational/brand damage, financial losses, and monetary penalties.

One of the most prevalent types of cyberattacks is ransomware, accounting for approximately 10% of all cyberattacks in 2021. Ransomware is a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption keys.

Palo Alto Networks states that the average ransom demand increased 144% to $2.2 million, while the average payment rose 78% to $541,010 from 2021 to 2022. According to a survey conducted by SonicWall in January 2022, 73% of respondents said they were concerned or extremely concerned about ransomware attacks. This was second only to targeted phishing attacks, which 77% of respondents said they were concerned or extremely concerned about.

SonicWall’s report also indicates that ransomware attacks grew by 105% in 2021 compared with the previous year, with 623.3 million attacks in total between January and December 2021. Since the annual numbers of ransomware attacks were a total of 187.9 million in 2019 and 304 million in 2020, we can say that organizations have a solid reason to be concerned about ransomware and the challenges arising from it.

Aside from 2022 trends below, the political and economic impact of the war in Ukraine, state-sponsored cyber-attacks, and the functioning “business model” of ransomware are likely to result in further increases in the number of ransomware attacks in the next few years. We do not expect ransomware attacks to slow down.

Trends in 2022 

A recent Deloitte report states that the increase in cyber threats is directly related to digital transformation. The risk of getting exposed to malicious actors is increasing as businesses accelerate their dependency on digital services. This is contributing to the willingness of organizations to pay ransoms to keep the business running. An IC3 2021 report forecasts that ransomware attacks in 2022 will focus on critical infrastructure, as governments accelerate their interests in digital transformation of the public health sector, the food and agriculture sector, commercial facilities, and the manufacturing sector.  

Ransomware-as-a-service (RaaS): There has been an increase in demand for ransomware as a service in the past 18 months, and it is predicted to double its growth in 2022. RaaS is operated as a business model by the cyber-attack groups, where malicious solutions are made easily available to criminals. It is a subscription-based approach that makes ransomware accessible to criminals who have no expertise in this field. Moreover, the subscription includes attractive features such as customer support, licensing, subscription offers, customer reviews, and other research material to assist interested criminals in making their purchase decision. The subscription also includes access to analytics such as the status of the attack. RaaS is also offered as a profit-sharing solution, where the ransom is split between the RaaS operators and their customers.

Evolution of tactics, techniques and procedures (TTPs): As reported by Symantec, evolving tactics, techniques, and procedures will be the constant new threat from attackers in 2022. Ransomware operators have been using a combination of malware and OEM software features to generate new toolsets to launch attacks. PsExec and Cobalt strike ranked as the top two most frequently deployed TTPs for ransomware in 2021. Attackers in 2022 are focusing more on multi-extortion techniques by leaking the data of the victims and threatening to launch a DDoS attack as a follow up if ransom demands are not met. Palo Alto Networks reported an increase of 85% in 2021 compared with 2020 in the number of victims of multi-extortion techniques.

Exploiting new software vulnerabilities: Vulnerabilities in software will continue to surface as long as there are attackers motivated to use it as a tool for ransomware. Recent examples include the Log4j vulnerability and evolution of ZLoader for deploying ransomware. For example, Microsoft reported a group of attackers from China exploited the Log4j vulnerability as a back door for infecting organizations with Nightsky ransomware. In 2022, ransomware operators will continue to take advantage of unpatched systems to launch attacks on vulnerable systems.


Believe in Zero Trust: Zero Trust is a security paradigm based on the principle of “Don’t trust. Verify!”. According to the Zero Trust concept, no device, user, workload, or system should be trusted by default. For further information, check out our Comprehensive Guide to Zero Trust Implementation insight.   

Create a Backup Strategy: Get prepared for the worst-case scenario. Plan and implement a backup strategy prior to experiencing an attack.

Do Planning: Create an incident response plan and allocate the tasks among security teams. Develop company-wide cybersecurity policies against ransomware.

Control Authentication and Authorization Methods: Manage your authentication and authorization methods, check privileged users, and if needed, separate duties and departments.

Deploy Endpoint Security Tools: Make sure that your devices are secured by an endpoint security product or service. Keep an eye on personal devices to eliminate Shadow IT risks.

Stay Updated: Patch and update your applications continuously. Keep your security leaders and other stakeholders well informed of the current state of ransomware attacks and cybersecurity trends.

Do not Click on Unknown Links: Avoid clicking on links and attachments from unknown websites and emails.


Related research 

Blog post: When will ransomware strike? Should you hope for the best or plan for the worst 

Leadership Brief: Prepare and protect against software vulnerabilities 

Leadership Brief: Responding to critical software vulnerabilities 

Leadership Brief: Defending Against Ransomware