The volume of threats that security teams see on a daily basis can make it especially difficult to look at the big picture when it comes to developing an effective cybersecurity strategy. To see through the flood of data and alerts, organizations depend on actionable threat intelligence to help them understand and mitigate risks. Looking at long-term trends can also help organizations make effective decisions for allocating resources to prevent costly breaches, ransomware and destructive attacks.

IBM’s annual X-Force Threat Intelligence Index presents an overview of the threat landscape and cybersecurity risk trends of the past year, based on IBM X-Force analysis of data from hundreds of millions of IBM Security-protected endpoints and servers, spam sensors, IBM Security managed services, red team, and incident response engagements.

IBM X-Force research teams came together to look at the trends that shaped the information security landscape in 2019, following the data to highlight the most prominent trends that can help organizations better assess risk factors, understand relevant threats and bolster their security strategy in 2020 and beyond.

Among the findings in this year’s X-Force Threat Intelligence Index, a few stand out: the most common attack vectors, the evolution of ransomware and malware, and the risks posed by accidental breaches caused by factors such as misconfigurations, inadvertent insiders, and old, continually exploited software vulnerabilities. New data from 2019 also showed a trend toward attacks on operational technology (OT), posing threats to industries such as energy and manufacturing. Finally, this year’s report provides geographic insights to show how threats vary by country or region.

Download the report

Attackers Are on the Path of Least Resistance

With access to billions of compromised records over the past decade, rampant credential reuse and an ever-growing number of unpatched vulnerabilities to prey on, attackers took the path of least resistance through a number of ways to gain access and compromise organizations’ security.

According to data in this year’s report, initial infection vectors used by attackers were fairly evenly divided between phishing attacks, unauthorized use of credentials and exploitation of vulnerabilities. Out of the top attack vectors in 2019, 31 percent of attacks relied on phishing (down from about half of attacks in 2018). The share of attacks using stolen credentials in 2019 was close behind at 29 percent. Meanwhile, attacks on known vulnerabilities increased significantly as a share of the top attack vectors, up to 30 percent in 2019 versus 8 percent in 2018.

Ransomware — The Bane of the Decade

Ransomware attacks have been an increasing issue in the past five years, and in 2019, this threat evolved into an all-out digital hostage crisis. When companies are not paying millions for a decryption key, they may see their data destroyed or published on the internet, or they may even become the victims of a destructive attack as retaliation for not paying criminals.

Our data shows a considerable rise in ransomware incidents in 2019, almost doubling between the second half of 2018 (10 percent) and the first half of 2019 (19 percent). Ransomware affected companies in a large variety of industries, in both the public and private sectors and 12 countries across the globe. Top targets for these attacks were retailers, manufacturing and transportation, sectors where downtime is detrimental to operations, which adds to the pressure to pay. Another potential reason could include the ease of exploitation of legacy systems and lax security programs in some sectors.

Healthcare organizations also faced the wrath of ransomware in 2019, and with attacks on the industry affecting a large number of facilities, the threat to human lives compelled organizations to pay to regain operational capabilities.

Organized Cybercrime Driving Rise in Attacks

One of the biggest drivers of ransomware becoming a prolific threat to organizations in 2019 was the move of organized cybercrime gangs from the banking Trojan realms into the enterprise attack arena. Banking Trojan operators are already known to be professional, sophisticated attackers who operate as a business. These capabilities, combined with access to already-compromised networks and an ability to spread to pivotal assets, have given ransomware like Ryuk, DoppelPaymer, LockerGoga, Sodinokibi and MegaCortex the ability to extort victimized organizations for millions of dollars. Those who did not pay up often faced arduous recovery processes that were no less costly or faster.

Law enforcement continues to discourage companies from paying ransoms as a way to reduce the profitability of high-stakes attacks and deter attackers in the long run.

Of note in 2019 was code innovation in the malware arena. Attackers in this sphere constantly evolve their code to bypass security controls. According to data from Intezer, banking Trojans and ransomware showed the most innovation in their genetic code, with an increase in new (previously unobserved) code from 2018 to 2019. Some 45 percent of banking Trojan code was new in 2019, compared to 33 percent in 2018, while 36 percent of ransomware code was new in 2019, compared to 23 percent in 2018.

Misconfigurations and Insider Threats Expose Billions of Records

With over 8.5 billion records leaked or compromised in 2019, it was a big year for lost data. But could these numbers have been lower? Our analysis finds that of the more than 8.5 billion records breached in 2019, 86 percent were compromised via misconfigured assets, including cloud servers and a variety of other systems. The same issues affected only half of the records breached in 2018. As organizations move to the cloud, security must remain a high priority, especially when it comes to proper configuration, access rights and privileged account management (PAM).

More records exposed equals more credentials up for grabs that can be used as an initial entry point into businesses. It is high time for organizations to pay closer attention to these potential security gaps and favor automation to limit human error and misconfiguration.

Other Highlights From the Report

OT attacks hit an all-time high. Malicious activity targeting operational technology assets, most notably industrial control systems (ICS), increased 2000 percent year-over-year in 2019, marking the largest number of attempted attacks on ICS and OT infrastructure in three years.

Tech and social media giants were the top spoofed brands in 2019, with attackers using various cybersquatting tactics to gain the trust of potential victims.

Nearly 60 percent of the top 10 spoofed brands identified were Google and YouTube domains, with Apple (15 percent) and Amazon (12 percent) coming in next. Facebook, Instagram, Netflix and Spotify were also among the top 10 spoofed brands.

With nearly 10 billion accounts combined, the top 10 spoofed brands listed in the report offer attackers a wide target pool, increasing the likelihood of credential theft and account takeover.

North America and Asia were the most targeted regions. For the first time this year, the X-Force Threat Intelligence Index included geo-centric insights on the threat trends we’ve seen on a regional basis. North America and Asia suffered the largest data losses, having seen 5 billion and 2 billion records compromised, respectively.

Discover More in the X-Force Threat Intelligence Index

IBM X-Force research for this report has a truly global reach, based on insights and observations from monitoring over 70 billion security events per day in more than 130 countries. For more insights about the global threat landscape and the threats most relevant to your organization, download the X-Force Threat Intelligence Index and sign up for the webinar to dive deeper into the findings from this year’s report.

Download the latest X-Force Threat Intelligence Index

Learn more about IBM Security X-Force’s threat intelligence and incident response services.

More from Advanced Threats

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today