Posted: 2 Min ReadRansomware
Translation: 日本語

The Ransomware Threat Landscape: What to Expect in 2022

Targeted ransomware continues to grow as TTPs evolve and new threat actors emerge

Ransomware continued to be the most significant cyber threat facing enterprises during 2021. While ransomware gangs are currently experiencing a period of turmoil and disruption, there is no guarantee that the threat posed by ransomware will abate in 2022, since similar disruptions in the past were usually followed by the emergence of new threats.

According to a new whitepaper published by the Symantec Threat Hunter team, part of Broadcom Software, targeted ransomware attacks continued to trend upwards in 2021, almost trebling between the first and final quarters of the year.

New Threats

One of the main developments during 2021 was the disappearance of established threat actors and the emergence of new groups to take their place. Of the major ransomware threats operating at the beginning of 2021, only Conti continued to remain active at year end.

During 2021, a number of high-profile ransomware operations disappeared. These included Leafroller (aka Sodinokibi, REvil), Coreid (Darkside and Blackmatter), and Avaddon.

However, a number of new actors have emerged to take their place. LockBit expanded rapidly following the departure of some of its rivals, while several new threats such as Pinion (Hive) and Sirex (AvosLocker) became quite active.

Evolving TTPs

One of the key trends noted in this research is the constantly evolving set of tools, tactics, and procedures (TTPS) employed by ransomware attackers. New TTPs emerge regularly as attackers bid to stay one step ahead of network defenders.

Ransomware groups these days now employ quite a diverse toolset, making use of a mixture custom malware, legitimate software, and operating system features (also known as living off the land).

Table 1. Top ten TTPs seen in ransomware investigations, April – December 2021
PsExec 34%
Cobalt Strike 18%
Mimikatz 11%
VssAdmin 10%
NetScan 7%
BITSAdmin 4%
AdFind 5%
Nsudo 5%
PowerShell 5%
MSIExec 4%
Animated gif

This diverse toolset is evident in the ten most frequently employed TTPs Symantec’s Threat Hunter Team found in ransomware investigations. The most frequently used tool, PsExec, is a Windows operating system feature that is often abused by attackers for executing processes on other systems. The next most frequently used tool was Cobalt Strike, which is off-the-shelf malware ostensibly sold as a penetration testing tool but is most frequently seen being used for malicious purposes.

New TTPs seen during the latter half of 2021 include abuse of VssAdmin, a legitimate Windows process that can be used to manage or delete shadow copies on Windows machines; along with abuse of MSIExec, a legitimate Windows installer that can be used by attackers to load malicious payloads onto targeted machines.

This was just a sample of the content in our latest whitepaper. Read the full paper for more insights into the ransomware threat landscape.


For the latest protection updates, please visit the Symantec Protection Bulletin.

Symantec Enterprise Blogs
You might also enjoy
9 Min Read

Daxin: Stealthy Backdoor Designed for Attacks Against Hardened Networks

Espionage tool is the most advanced piece of malware Symantec researchers have seen from China-linked actors.

Symantec Enterprise Blogs
You might also enjoy
4 Min Read

Ukraine: Disk-wiping Attacks Precede Russian Invasion

Destructive malware deployed against targets in Ukraine and other countries in the region in the hours prior to invasion.

About the Author

Threat Hunter Team


The Threat Hunter Team is a group of security experts within Symantec whose mission is to investigate targeted attacks, drive enhanced protection in Symantec products, and offer analysis that helps customers respond to attacks.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.