Skip Navigation
Get a Demo
 
 
 
 
 
 
 
 

Introduction

Trends

Red Canary performed an analysis of emerging and significant trends that we’ve encountered in confirmed threats, intelligence reporting, and elsewhere over the past year. We’ve compiled the most prominent trends of 2021 in this report to show major themes that may continue into 2022.

The technique and threat sections of this report are focused on detection data and identifying prevalent ATT&CK techniques and threats in those detections. The trends section takes us one step beyond that data and allows us to narrate events that might not be prevalent but may be emergent or otherwise deserve your attention.

Ransomware
Ransomware continued to dominate the 2021 threat landscape, and we observed operators take new approaches.
Supply chain compromises
Supply chain compromises were a major theme, starting with SolarWinds, Kaseya and NPM package compromises mid-year, and ending with Log4j.
Vulnerabilities
Adversaries exploited vulnerabilities affecting popular enterprise platforms to drop web shells, spread ransomware, and more.
Affiliates
The threat landscape continued its trend toward a software-as-a-service (SaaS) economy, muddying the already murky waters of attribution.
Crypters-as-a-service
Crypters like HCrypt and Snip3 joined the ranks of other "as-a-service" threats.
Common web shells
Adversaries exploited web applications with help from web shells such as China Chopper, Godzilla, and Behinder.
User-initiated initial access
We observed an uptick in threats that occurred after users sought out content which, often unbeknownst to them, was malicious.
Malicious macOS installers
Malicious installers led to rotten Apples and adware, as macOS systems continued to be targeted.
Remote monitoring and management abuse
Adversaries continued to use and abuse legitimate remote monitoring and management (RMM) software to move data and control infected hosts.
Linux coinminers
Coinminers once again dominated the Linux threat landscape.
Abusing remote procedure calls
Intrusions leveraging remote procedure calls (RPC) made waves, particularly PetitPotam and PrintNightmare.
Defense validation and testing
Confirmed testing comprised almost one quarter of our detections in 2021, with many coming from open source tools.

How to use our analysis

The 2021 trends section is intended to provide valuable insight and actionable recommendations for security leaders to make informed decisions. We offer advice to help defenders prepare, prevent, detect, and mitigate activity associated with each trend. The guidance we provide differs, since each trend requires a different approach. You might also use our analysis to help anticipate and plan for key trends that may continue into 2022, just as we saw with 2020 trends extending into 2021.

Defense validation and testing
Ransomware
 

See what it's like to have a security ally.

Experience the difference between a sense of security and actual security.
Get a Demo
 
 
 
 
Back to Top