* [Blog](https://www2.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www2.paloaltonetworks.com/blog/corporate/)
* [Announcement](https://www2.paloaltonetworks.com/blog/category/announcement/)
* Today's Cyberthreats: Ran...

# Today's Cyberthreats: Ransomware, BEC Continue to Disrupt

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2022%2F07%2Fcyberthreats-incident-response-report%2F)  
[](https://twitter.com/share?text=Today%E2%80%99s+Cyberthreats%3A+Ransomware%2C+BEC+Continue+to+Disrupt&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2022%2F07%2Fcyberthreats-incident-response-report%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2022%2F07%2Fcyberthreats-incident-response-report%2F&title=Today%E2%80%99s+Cyberthreats%3A+Ransomware%2C+BEC+Continue+to+Disrupt&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/2022/07/cyberthreats-incident-response-report/&ts=markdown)  
\[\](mailto:?subject=Today’s Cyberthreats: Ransomware, BEC Continue to Disrupt)  
Link copied  
By [Dan O'Day](https://www.paloaltonetworks.com/blog/author/dan-oday/?ts=markdown "Posts by Dan O'Day")  
Jul 26, 2022  
5 minutes  
[Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown)  
[Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)  
[Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)  
[best practices](https://www.paloaltonetworks.com/blog/tag/best-practices/?ts=markdown)  
[Business email compromise](https://www.paloaltonetworks.com/blog/tag/business-email-compromise/?ts=markdown)  
[cloud incident response services](https://www.paloaltonetworks.com/blog/tag/cloud-incident-response-services/?ts=markdown)  
[Incident Response](https://www.paloaltonetworks.com/blog/tag/incident-response/?ts=markdown)  
[ransomware](https://www.paloaltonetworks.com/blog/tag/ransomware/?ts=markdown)  
[Research Reports](https://www.paloaltonetworks.com/blog/tag/research-reports/?ts=markdown)  
[Unit 42](https://www.paloaltonetworks.com/blog/tag/unit-42/?ts=markdown)

This post is also available in: [日本語 (Japanese)](https://www2.paloaltonetworks.com/blog/2022/07/cyberthreats-incident-response-report/?lang=ja "Switch to Japanese(日本語)")

When we created the [2022 Unit 42 Incident Response Report](http://start.paloaltonetworks.com/2022-unit42-incident-response-report), our goal was simple: to gather insights from our incident response cases and our security consultants' experience so organizations can benefit from them.

By examining what we've learned about attackers from helping organizations in hundreds of cases, you can prioritize your resources and focus your efforts to mitigate the risks that you deem most significant. The goal is to understand:

* What attackers are doing (or trying to do).
* How attackers are doing it.
* What contributes to attackers' success.
* What you can do to protect your organization.

To answer these questions, Unit 42 analyzed hundreds of incident response (IR) cases over the past year to extract critical details and insights. We also conducted in-depth interviews with experienced consultants to learn what they believe organizations most need to know to be more [resilient](https://www.paloaltonetworks.com/blog/2021/09/cyber-resilience/) and [prepared](https://www.paloaltonetworks.com/blog/2022/01/threat-intel-informed-cybersecurity/).

The [2022 Unit 42 Incident Response Report](https://www.paloaltonetworks.com/unit42/2022-incident-response-report) provides our findings, shedding light on key attack tactics and trends that reveal how the threat landscape is evolving, so you can adapt your defenses to protect your organization's assets and operations.

## What Attackers Are Doing (or Trying to Do)

Most attacks seem to be motivated by money. Commonly affected organizations are in industries that store, transmit and process high volumes of monetizable information. The finance, professional and legal services, manufacturing, healthcare, high tech, and wholesale and retail industries accounted for 63% of our IR cases.
![Top affected industries in 2022, according to Unit 42 incident response cases (in order): finance, professional and legal services, manufacturing, healthcare, high technology, wholesale and retail, education, hospitality](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/07/Unit42-IR-Report-industries-Cropped.jpg)
Figure 1. Top affected industries in 2022, according to Unit 42 incident response case data.

Hackers can sell the data or hold it hostage to extract a payout because they know the organizations in these industries rely on the integrity and privacy of their information to operate and compete.

## How Attackers Are Operating

Ransomware and business email compromises (BEC) were the top incident types observed in our cases over the past year, accounting for approximately 70%.

The top three access vectors that threat actors used to get into an organization's environment were phishing, the exploitation of known software vulnerabilities and brute-force credential attacks, primarily focused on remote desktop protocol (RDP) where victim's systems were directly exposed to the internet. These three were the suspected initial entry vectors of more than 77% of intrusions.
![Suspected Means of Initial Access: Phishing 37%, Software vulnerabilities 31%, Brute-force credential attacks 9%, Previously compromised credentials 6%, Insider threat 5%, social engineering 5%, abuse of trusted relationships 4%, others 3%](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/07/Unit42-IR-Report-initial-access-Cropped.jpg)
Figure 2. Suspected means of initial access according to Unit 42 incident response case data.

## What Contributes to Attackers' Success

When investigating why breaches were successful, our team identified seven common contributing factors to successful attacks.

1. Lack of multi-factor authentication -- 50% of cases
2. No endpoint detection and response (EDR) security solution to detect and respond to malicious network activities -- 44% of cases
3. No or poor patch management procedures -- 28% of cases
4. No mitigations in place to ensure account lockout for brute-force credential attacks -- 13% of cases
5. A failure to review/action security alerts -- 11% of cases
6. Weak password security practices -- 7% of cases
7. System misconfigurations -- 7% of cases

In many cases, organizations we worked with had been taking the right steps *most* of the time -- but attackers only need to find *one* gap to be successful. We saw cases where a bit of "shadow IT" -- unauthorized devices -- or a half-forgotten legacy system wound up putting the entire organization at risk.

We see this list as a guide you can use to double-check that your key protections are in place.

## What You Can Do to Protect Your Organization

Based on the themes that come up again and again in our IR cases, our consultants highlighted the top six things you can do to improve your organization's security posture and make it harder for attackers to succeed:

1. Conduct phishing prevention and recurring employee and contractor security training.
2. Disable any direct external RDP access. Ensure all external remote administration is conducted through an enterprise-grade virtual private network (VPN) with multi-factor authentication (MFA) required.
3. Patch internet-exposed systems as quickly as possible (given leading practices for testing and responsible deployment) to prevent vulnerability exploitation.
4. Implement MFA as a technical control and security policy for all users.
5. Require that payment verification takes place outside of email to ensure a multi-step verification process.
6. Consider a credential breach detection service and/or attack surface management solution to help track vulnerable systems and potential breaches.

## Other Insights You'll Find in the 2022 Unit 42 Incident Response Report

In addition to the findings outlined here, the report includes in-depth spotlights on ransomware, BEC and cloud incidents -- three types of incidents that we believe all organizations should prepare to defend against. We share actionable information on what attackers do once they've breached a network. Our consultants predict how attackers may shift their tactics and goals in the coming year.

Finally, our security experts take you far beyond the six fundamentals described above. We offer in-depth recommendations for how to improve your security posture, grouped so you can focus on the risks you most want to mitigate.

Download the full [2022 Unit 42 Incident Response Report](http://start.paloaltonetworks.com/2022-unit42-incident-response-report) to learn more, and register to attend the [2022 Incident Response Report webinar](https://register.paloaltonetworks.com/unit42incidentresponsereport22) to hear our security experts discuss the key findings in the report and answer your questions live.

## Get in Touch

Want help to prepare for or respond to a cyber incident? Call in the experts.

If you think you may have been impacted by a cyber incident or have specific concerns about any of the incident types discussed here, please [contact Unit 42](https://start.paloaltonetworks.com/contact-unit42.html) to connect with a team member. The [Unit 42 Incident Response team](https://www.paloaltonetworks.com/unit42/respond/incident-response) is available 24/7/365. If you have cyber insurance, you can request Unit 42 by name. You can also take preventative steps by requesting any of our [cyber risk management services](https://www.paloaltonetworks.com/unit42/assess).

*** ** * ** ***

## Related Blogs

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Don't Panic: Unit 42 Doubles Down on Cloud Incident Response Services](https://www2.paloaltonetworks.com/blog/2021/11/cloud-incident-response-services/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Unit 42 IR Services a Strong Performer in the Forrester Wave™](https://www2.paloaltonetworks.com/blog/2022/04/forrester-wave-cybersecurity-incident-response-services/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Public Sector](https://www.paloaltonetworks.com/blog/category/public-sector/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/network-security/category/zero-trust-security/?ts=markdown)

[#### Russia-Ukraine Cyber Activity Makes Security Best Practices Imperative](https://www2.paloaltonetworks.com/blog/2022/03/russia-ukraine-cyber-activity-best-practices/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Unit 42 and Crypsis Combine to Offer Threat Intel, Incident Response](https://www2.paloaltonetworks.com/blog/2021/04/threat-intelligence-and-incident-response/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### The Ransomware Threat: Bigger, Greedier, Attacking the Most Vulnerable](https://www2.paloaltonetworks.com/blog/2021/03/ransomware-threat/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Company \& Culture](https://www.paloaltonetworks.com/blog/category/company-culture/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### More on the PAN-OS CVE-2024-3400](https://www2.paloaltonetworks.com/blog/2024/04/more-on-the-pan-os-cve/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language