Quarterly Report: Incident Response trends in Q1 2022

Ransomware continues as the top threat, while a novel increase in APT activity emerges

By Caitlin Huey.

Ransomware was still the top threat Cisco Talos Incident Response (CTIR) saw in active engagements this quarter, continuing a trend that started in 2020. As mentioned in the 2021 year-in-review report, CTIR continues to deal with an expanding set of ransomware adversaries and major cybersecurity incidents affecting organizations worldwide.  

The first quarter of 2022 also featured an increase in engagements involving advanced persistent threat (APT) activity. This included Iranian state-sponsored MuddyWater APT activity, China-based Mustang Panda activity leveraging USB drives to deliver the PlugX remote access trojan (RAT), and a suspected Chinese adversary dubbed “Deep Panda” exploiting Log4j. 


A wide variety of verticals were targeted, including education, energy, financial services, health care, industrial production and equipment, local government, manufacturing, real estate, telecommunications and utilities. The top targeted vertical was telecommunications, following a trend where it was among the top targeted verticals in the previous quarter, closely followed by organizations in the education and government sectors. 


Ransomware continued to comprise the majority of threats CTIR responded to. No one ransomware family was observed twice in incidents that closed out this quarter. This is indicative of a trend toward greater

Read More: http://blog.talosintelligence.com/2022/04/quarterly-report-incident-response.html