Publications

The nature of cyber incidents

Kaspersky provides incident response services and trainings to organizations around the world. In our annual incident response report, we share our observations and statistics based on investigation of real-life incidents. The report contains anonymized data collected by the Kaspersky Global Emergency Response Team (GERT), which is our main incident response and digital forensics unit. Researchers from Europe, Asia, North and South America, Africa, and Middle East work on Kaspersky GERT.

Since 2020, when the COVID-19 pandemic forced organizations to switch to working from home, our services have adapted to the new normal. In 2021, 98% or our incident response services were provided remotely.

2021 in numbers

  • The majority of requests for incident response services came from our customers in Europe (30.1%), the CIS (24.7%), and the Middle East (23.7%).
  • Industrial (30.1%), governmental (19.4%) and financial (12.9%) organizations remain the most targeted ones.
  • In 53.6% of cases, exploitation of vulnerabilities in public-facing applications was the initial infection vector.
  • 51.9% of incidents were ransomware attacks, and in 62.5% of those cases, cybercriminals had had access to target systems for more than a month before they started file encryption.
  • In 40% of incidents, cybercriminals used legitimate tools.

More details on cyberincidents and response measures can be found in the full version of the report. It includes following information:

  • Review of 2021 trends
  • Reasons for organizations to suspect an incident and request response
  • Initial access vectors
  • Exploits and tools used by cybercriminals
  • Attack durations and response times
  • Recommendations on protection against the threats

To download the full report (in PDF), please fill in the form below. Note that if you have strict security settings enabled in your browser, you will need to add this page to exceptions to see the form.

The nature of cyber incidents

Your email address will not be published.

 

  1. Sasa Mrdovic

    Thank you for sharing.

  2. Edward Rohmer

    Interested in how baseline hardening standards.

    1. Securelist

      Hi Edward!

      If you want to get the report, please, fill in the other form in the post. If you don’t see any other forms except the comment form, try to add this page to exceptions in your ad blocker and browser privacy settings.

  3. Alex Koskey

    Report

    1. Securelist

      Hi Alex!

      If you want to get the report, please, fill in the other form in the post. If you don’t see any other forms except the comment form, try to add this page to exceptions in your ad blocker and browser privacy settings.

  4. Allen

    Thanks for sharing.

Reports

Kimsuky’s GoldDragon cluster and its C2 operations

Kimsuky (also known as Thallium, Black Banshee and Velvet Chollima) is a prolific and active threat actor primarily targeting Korea-related entities. In early 2022, we observed this group was attacking the media and a think-tank in South Korea.

Andariel deploys DTrack and Maui ransomware

Earlier, the CISA published an alert related to a Stairwell report, “Maui Ransomware.” Our data should openly help solidify the attribution of the Maui ransomware incident to the Korean-speaking APT Andariel, also known as Silent Chollima and Stonefly.

Subscribe to our weekly e-mails

The hottest research right in your inbox