Q1 2022 Threat Landscape: Threat Actors Target Email for Access and Extortion

In Q1 2022, Kroll observed a 54% increase in phishing attacks being used for initial access in comparison with Q4 2021. Email compromise and ransomware were the two most common threat incident types, highlighting the integral part played by end users in the intrusion lifecycle.

Kroll continues to observe widely-publicized vulnerabilities such as ProxyShell and Log4J being used as pivot points for attackers to access and compromise systems through approaches such as business email compromise (BEC) and cryptominers. In Q1 2022, Kroll observed these vulnerabilities being leveraged by multiple different ransomware groups for initial access into systems. In the same quarter, Kroll also observed an increase in attacks related to Emotet and IcedID malware.

While the proportion of ransomware incidents slipped by 20% from the last quarter, cybercriminals capitalized on other methods to extort victims, such as the large-scale data theft by groups like Lapsus$, and a unique twist on BEC that led to significant extortion demands.