[](https://www.paloaltonetworks.com/unit42?ts=markdown) ![x close icon to close mobile navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/x-black.svg) [![unit42 logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/unit42-logo-dark.svg)](https://www.paloaltonetworks.com/unit42?ts=markdown) ![magnifying glass search icon to open search field](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/search-black.svg) * [](https://www.paloaltonetworks.com/unit42?ts=markdown) * [About Unit 42](https://www.paloaltonetworks.com/unit42/about?ts=markdown) * Services ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Services [Assess and Test Your Security Controls](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [AI Security Assessment](https://www.paloaltonetworks.com/unit42/assess/ai-security-assessment?ts=markdown) * [Attack Surface Assessment](https://www.paloaltonetworks.com/unit42/assess/attack-surface-assessment?ts=markdown) * [Breach Readiness Review](https://www.paloaltonetworks.com/unit42/assess/breach-readiness-review?ts=markdown) * [BEC Readiness Assessment](https://www.paloaltonetworks.com/unit42/assess/business-email-compromise?ts=markdown) * [Cloud Security Assessment](https://www.paloaltonetworks.com/unit42/assess/cloud-security-assessment?ts=markdown) * [Compromise Assessment](https://www.paloaltonetworks.com/unit42/assess/compromise-assessment?ts=markdown) * [Cyber Risk Assessment](https://www.paloaltonetworks.com/unit42/assess/cyber-risk-assessment?ts=markdown) * [M\&A Cyber Due Diligence](https://www.paloaltonetworks.com/unit42/assess/mergers-acquisitions-cyber-due-diligence?ts=markdown) * [Penetration Testing](https://www.paloaltonetworks.com/unit42/assess/penetration-testing?ts=markdown) * [Purple Team Exercises](https://www.paloaltonetworks.com/unit42/assess/purple-teaming?ts=markdown) * [Ransomware Readiness Assessment](https://www.paloaltonetworks.com/unit42/assess/ransomware-readiness-assessment?ts=markdown) * [SOC Assessment](https://www.paloaltonetworks.com/unit42/assess/soc-assessment?ts=markdown) * [Supply Chain Risk Assessment](https://www.paloaltonetworks.com/unit42/assess/supply-chain-risk-assessment?ts=markdown) * [Tabletop Exercises](https://www.paloaltonetworks.com/unit42/assess/tabletop-exercise?ts=markdown) * [Unit 42 Retainer](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown) [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [IR Plan Development and Review](https://www.paloaltonetworks.com/unit42/transform/incident-response-plan-development-review?ts=markdown) * [Security Program Design](https://www.paloaltonetworks.com/unit42/transform/security-program-design?ts=markdown) * [Virtual CISO](https://www.paloaltonetworks.com/unit42/transform/vciso?ts=markdown) * [Zero Trust Advisory](https://www.paloaltonetworks.com/unit42/transform/zero-trust-advisory?ts=markdown) [Respond in Record Time](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Cloud Incident Response](https://www.paloaltonetworks.com/unit42/respond/cloud-incident-response?ts=markdown) * [Digital Forensics](https://www.paloaltonetworks.com/unit42/respond/digital-forensics?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond/incident-response?ts=markdown) * [Managed Detection and Response](https://www.paloaltonetworks.com/unit42/respond/managed-detection-response?ts=markdown) * [Managed Threat Hunting](https://www.paloaltonetworks.com/unit42/respond/managed-threat-hunting?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Unit 42 Retainer](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown) [![](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/logo-unit-42.svg) UNIT 42 RETAINER Custom-built to fit your organization's needs, you can choose to allocate your retainer hours to any of our offerings, including proactive cyber risk management services. Learn how you can put the world-class Unit 42 Incident Response team on speed dial. Learn more](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown) * Unit 42 Threat Research ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Unit 42 Threat Research [Unit 42 Threat Research](https://unit42.paloaltonetworks.com/) * [Threat Briefs and Assessments Details on the latest cyber threats](https://unit42.paloaltonetworks.com/category/threat-research/) * [Tools Lists of public tools released by our team](https://unit42.paloaltonetworks.com/tools/) * [Threat Reports Downloadable, in-depth research reports](https://www.paloaltonetworks.com/resources?q=*%3A*&_charset_=UTF-8&fq=PRODUCTS0_DFACET%3Apan%253Aresource-center%252Fproducts0%252Funit42-managed-detection-and-response&fq=RC_TYPE_DFACET%3Apan%253Aresource-center%252Frc-type%252Fresearch&ts=markdown) [THREAT REPORT 2025 Unit 42 Global Incident Response Report Read now](https://www.paloaltonetworks.com/resources/research/unit-42-incident-response-report?ts=markdown) [THREAT BRIEF Russia-Ukraine Cyberattacks: How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon, Website Defacement Learn more](https://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukraine-crisis/) [THREAT REPORT Highlights from the Unit 42 Cloud Threat Report, Volume 6 Learn more](https://www.paloaltonetworks.com/resources/research/unit-42-cloud-threat-report-volume-6?ts=markdown) * Partners ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Partners Partners * [Threat Intelligence Sharing](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) * [Law Firms and Insurance Providers](https://www.paloaltonetworks.com/unit42/incident-response-partners?ts=markdown) [THREAT REPORT 2025 Unit 42 Incident Response Report Read now](https://www.paloaltonetworks.com/resources/research/unit-42-incident-response-report?ts=markdown) [THREAT BRIEF Russia-Ukraine Cyberattacks: How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon, Website Defacement Learn more](https://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukraine-crisis/) [THREAT BRIEF Operation Falcon II: Unit 42 Helps Interpol Identify Nigerian Business Email Compromise Ring Members Learn more](https://unit42.paloaltonetworks.com/operation-falcon-ii-silverterrier-nigerian-bec/) * Resources ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Resources Resources * [Research Reports](https://www.paloaltonetworks.com/resources?q=*%3A*&_charset_=UTF-8&fq=PRODUCTS0_DFACET%3Apan%253Aresource-center%252Fproducts0%252Funit42-managed-detection-and-response&fq=RC_TYPE_DFACET%3Apan%253Aresource-center%252Frc-type%252Fresearch&ts=markdown) * [Webinars](https://www.paloaltonetworks.com/resources?q=*%3A*&_charset_=UTF-8&fq=PRODUCTS0_DFACET%3Apan%253Aresource-center%252Fproducts0%252Funit42-managed-detection-and-response&fq=RC_TYPE_DFACET%3Apan%253Aresource-center%252Frc-type%252Fwebinar&ts=markdown) * [Customer Stories](https://www.paloaltonetworks.com/unit42/customer-stories?ts=markdown) * [Datasheets](https://www.paloaltonetworks.com/resources?q=*%3A*&_charset_=UTF-8&fq=PRODUCTS0_DFACET%3Apan%253Aresource-center%252Fproducts0%252Funit42-managed-detection-and-response&fq=RC_TYPE_DFACET%3Apan%253Aresource-center%252Frc-type%252Fdatasheet&ts=markdown) * [Videos](https://www.paloaltonetworks.com/resources?q=*%3A*&_charset_=UTF-8&fq=PRODUCTS0_DFACET%3Apan%253Aresource-center%252Fproducts0%252Funit42-managed-detection-and-response&fq=RC_TYPE_DFACET%3Apan%253Aresource-center%252Frc-type%252Fvideo&ts=markdown) * [Infographics](https://www.paloaltonetworks.com/resources?q=*%3A*&_charset_=UTF-8&fq=PRODUCTS0_DFACET%3Apan%253Aresource-center%252Fproducts0%252Funit42-managed-detection-and-response&fq=RC_TYPE_DFACET%3Apan%253Aresource-center%252Frc-type%252Finfographic&ts=markdown) * [Whitepapers](https://www.paloaltonetworks.com/resources?q=*%3A*&_charset_=UTF-8&fq=PRODUCTS0_DFACET%3Apan%253Aresource-center%252Fproducts0%252Funit42-managed-detection-and-response&fq=RC_TYPE_DFACET%3Apan%253Aresource-center%252Frc-type%252Fwhitepaper&ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/resources?q=*%3A*&_charset_=UTF-8&fq=PRODUCTS0_DFACET%3Apan%253Aresource-center%252Fproducts0%252Funit42-managed-detection-and-response&fq=RC_TYPE_DFACET%3Apan%253Aresource-center%252Frc-type%252Farticle&ts=markdown) Industries * [Financial Services](https://www.paloaltonetworks.com/industry/unit42-financial-services?ts=markdown) * [Healthcare](https://www.paloaltonetworks.com/industry/unit42-healthcare?ts=markdown) * [Manufacturing](https://www.paloaltonetworks.com/industry/unit42-manufacturing?ts=markdown) [THREAT REPORT 2025 Unit 42 Global Incident Response Report Read now](https://www.paloaltonetworks.com/resources/research/unit-42-incident-response-report?ts=markdown) [ANALYST REPORT Unit 42^®^ named a Leader in the 2025 IDC MarketScape for Worldwide IR Services. See our difference](http://start.paloaltonetworks.com/idc-incident-response-marketscape-2025) * * [Under Attack?](https://start.paloaltonetworks.com/contact-unit42.html) ![palo alto networks logo icon](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/logo-default.svg) ![white arrow icon pointing left to return to main Palo Alto Networks site](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-white.svg) [](https://www.paloaltonetworks.com/unit42?ts=markdown) Search All * [Tech Docs](https://docs.paloaltonetworks.com/search#q=unit%2042&sort=relevancy&layout=card&numberOfResults=25) Close search modal *** ** * ** *** # If you know what attackers are after, you know what to protect most. 2022 incident response attack trends, most common incident types, how attackers gain initial access, what vulnerabilities they exploit and which industries they target ## Dive Deeper with Unit 42 Experts ![Unit experts](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/unit42/ir-report-2022/Jen-Miller-Osborn.jpg)![Unit experts](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/prisma/icons/interactiveIcons/ashlie-blanca.jpg)![Unit experts](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/prisma/icons/interactiveIcons/Cameron-Ero.jpg) ### Stay ahead of attacks. Ransomware and business email compromise (BEC) made up the majority of cases Unit 42^®^ responded to over the past year. Hear expert insights on preparing for and responding to the evolving threat landscape. [Watch on demand](https://start.paloaltonetworks.com/2022-unit42-incident-response-report-webinar) ![Unit experts](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/prisma/icons/interactiveIcons/PELZER-LEEANNE.png)![Unit experts](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/prisma/icons/interactiveIcons/FARAONE-DAVID.png)![Unit experts](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/prisma/icons/interactiveIcons/Tim-Erridge.jpeg) ### Perfect your pitch. Our clients ask for help to frame risks and threats with their leadership, especially the board of directors. Join our executives for a conversation on how to use the Incident Response Report to strengthen your argument. [Watch on demand](https://register.paloaltonetworks.com/4irinsightsyourboardmustknow) ![Incident response report](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/unit42/ir-report-2022/dive-deeper-report.png) Download the 2022 Unit 42 Incident Response Threat Report insights on ### Most Common Attacks Ransomware and BEC were the top attacks we responded to over the past year, accounting for approximately 70% of our incident response cases. ![](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/prisma/icons/interactiveIcons/most-common-attacks-animation.gif) 01 RANSOMWARE ### Attackers are asking for and getting higher ransom payouts As of June, the [average ransomware payment](https://www.paloaltonetworks.com/blog/2022/06/average-ransomware-payment-update/?ts=markdown) in cases worked by Unit 42 incident responders in 2022 was US$925,162 -- a 71% increase compared to 2021. $30MUSD Biggest Ask $8.5MUSD Biggest Payout Average Ransom Demand by Industry ![](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/prisma/icons/interactiveIcons/Unit-42-Incident-Response-Report-Graphs-R6_avg-demand.jpg) [![ransomware details](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/prisma/icons/interactiveIcons/video-img.jpg)](https://www.paloaltonetworks.com//players.brightcove.net/1050259881001/default_default/index.html?videoId=6309887304112&ts=markdown) ### **Case Study:** BlackCat Ransomware [Watch now](https://players.brightcove.net/1050259881001/default_default/index.html?videoId=6309887304112) incident response report - predictions ![predictions](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/unit42/ir-report-2022/incident-response-report-predictions-1-com.jpg) ![predictions](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/unit42/ir-report-2022/incident-response-report-predictions-2-com.jpg) ![predictions](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/unit42/ir-report-2022/incident-response-report-predictions-3.jpg) ![predictions](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/unit42/ir-report-2022/incident-response-report-predictions-4-com.jpg) ![predictions](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/unit42/ir-report-2022/incident-response-report-predictions-5-com.jpg) ![predictions](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/unit42/ir-report-2022/incident-response-report-predictions-6-com.jpg) ![predictions](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/unit42/ir-report-2022/incident-response-report-predictions-7-com.jpg) ![predictions](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/unit42/ir-report-2022/incident-response-report-predictions-8-com.jpg) ![predictions](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/unit42/ir-report-2022/incident-response-report-predictions-9.jpg) ![predictions](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/unit42/ir-report-2022/incident-response-report-predictions-10-com.jpg) ![predictions](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/unit42/ir-report-2022/incident-response-report-predictions-11-com.jpg) ![predictions](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/unit42/ir-report-2022/incident-response-report-predictions-12-com.jpg) ![predictions](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/unit42/ir-report-2022/incident-response-report-predictions-13-com.jpg) ![predictions](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/unit42/ir-report-2022/incident-response-report-predictions-14-com.jpg) ![predictions](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/unit42/ir-report-2022/incident-response-report-predictions-15-com.jpg) ![predictions](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/unit42/ir-report-2022/incident-response-report-predictions-16-com.jpg) ![predictions](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/unit42/ir-report-2022/incident-response-report-predictions-17-com.jpg) ![predictions](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/unit42/ir-report-2022/incident-response-report-predictions-18.jpg) [download pdf](https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/unit42/2022-Unit-42-Incident-Response-Report-Predictions.pdf?ts=markdown)[Download PDF](https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/unit42/2022-Unit-42-Incident-Response-Report-Predictions.pdf?ts=markdown) ![](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/unit42/ir-report-2022/small-incident-response-report-predictions-1.jpg) ![](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/unit42/ir-report-2022/small-incident-response-report-predictions-2.jpg) ![](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/unit42/ir-report-2022/small-incident-response-report-predictions-3.jpg) ![](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/unit42/ir-report-2022/small-incident-response-report-predictions-4.jpg) ![](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/unit42/ir-report-2022/small-incident-response-report-predictions-5.jpg) ![](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/unit42/ir-report-2022/small-incident-response-report-predictions-6.jpg) ![](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/unit42/ir-report-2022/small-incident-response-report-predictions-7.jpg) ![](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/unit42/ir-report-2022/small-incident-response-report-predictions-8.jpg) ![](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/unit42/ir-report-2022/small-incident-response-report-predictions-9.jpg) ![](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/unit42/ir-report-2022/small-incident-response-report-predictions-10.jpg) ![](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/unit42/ir-report-2022/small-incident-response-report-predictions-11.jpg) ![](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/unit42/ir-report-2022/small-incident-response-report-predictions-12.jpg) ![](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/unit42/ir-report-2022/small-incident-response-report-predictions-13.jpg) ![](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/unit42/ir-report-2022/small-incident-response-report-predictions-14.jpg) ![](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/unit42/ir-report-2022/small-incident-response-report-predictions-15.jpg) ![](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/unit42/ir-report-2022/small-incident-response-report-predictions-16.jpg) ![](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/unit42/ir-report-2022/small-incident-response-report-predictions-17.jpg) ![](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/unit42/ir-report-2022/small-incident-response-report-predictions-18.jpg) ### Attackers use multiextortion techniques to maximize profit. Ransomware actors typically encrypt an organization's files -- but increasingly, they also name and shame their victims, increasing the pressure to pay. Many ransomware groups maintain dark web leak sites for the purpose of double extortion. Threat actors have increasingly favored extortion -- whether in combination with other techniques or on its own. 4% of Unit 42 cases involved extortion without encryption, and we expect this percentage to rise. ### RaaS is helping drive an increase in unskilled threat actors. Ransomware as a service (RaaS) is a business for criminals, by criminals. They normally set the terms for ransomware, often in exchange for monthly fees or a percentage of ransoms paid. RaaS makes carrying out attacks that much easier, lowering the barrier to entry and accelerating the growth of ransomware. 02 CLOUD INCIDENTS ### Misconfiguration is the primary cause in cloud breaches Nearly 65% of known cloud security incidents were due to misconfigurations. The main culprit? IAM configuration. We analyzed more than 680,000 identities across 18,000 cloud accounts from 200 different organizations. What we found is that nearly all lacked the proper IAM policy controls to remain secure. 03 BEC ### Business email compromise is more than a nuisance. The U.S. Federal Bureau of Investigation calls BEC the "$43 billion scam." This refers to the incidents reported to the Internet Crime Complaint Center from 2016--2021. Unit 42's telemetry on BEC attack campaigns has resulted in BEC actors arrested in Operation Falcon II and Operation Delilah. insights on ### How Attackers Get In The top three initial access vectors for adversaries were phishing, known software vulnerabilities and brute force credential attacks (primarily on remote desktop protocol). 77% of suspected root causes for intrusions came from phishing, vulnerablity exploit, and brute force attacks. 04 Vectors Attackers used phishing 40% of the time to gain initial access Attackers are looking for easy ways in. Phishing is a low-cost method with high results for attackers. We've provided "10 Recommendations to Prevent Phishing Attacks" in our report. ![](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/prisma/icons/interactiveIcons/donut-chart.gif) insights on ### Vulnerablities Are Doorways 87% of cases where vulnerabilities exploited were identified came from just six CVE categories. 05 LOG4SHELL ### Log4Shell: A critical vulnerability with continuing impact A zero-day remote code execution (RCE) vulnerability in Apache Log4j 2 was identified as being exploited in the wild on December 9, 2021. Log4Shell was rated a 10 on the Common Vulnerability Scoring System (CVSS) -- the highest possible score. By February 2, we observed almost 126 million hits triggering the Threat Prevention signature meant to protect against attempts to exploit the Log4j vulnerability. Log4j accounted for nearly 14% of the cases in which attackers exploited vulnerabilities to gain access over the last year -- despite only being public for a few months of the time period we studied. As recently as June 23, CISA released an advisory warning that malicious actors [continue to exploit Log4Shell](https://www.paloaltonetworks.com/blog/2022/06/average-ransomware-payment-update/?ts=markdown) in VMware Horizon Systems. [![Article Log4 shell](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/prisma/icons/interactiveIcons/Log4j.svg)](https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/) [Another Apache Log4j Vulnerability Is Actively Exploited in the Wild](https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/) *** ** * ** *** 06 zoho ### Zoho Vulnerabilities Used by Sophisticated, Difficult-to-Detect Campaigns U.S. CISA released an alert on September 16, 2021, warning that advanced persistent threat (APT) actors were actively exploiting newly identified vulnerabilities in the self-service password management and single sign-on solution Zoho ManageEngine ADSelfService Plus. Unit 42 later disclosed a persistent, sophisticated, active and difficult-to-detect campaign using the vulnerabilities tracked as TiltedTemple. The TiltedTemple campaign attacked more than 13 targets across the technology, defense, healthcare, energy, finance and education industries, apparently aiming to gather and exfiltrate sensitive documents from compromised organizations. Zoho ManageEngine ADSelfService Plus accounted for about 4% of the vulnerabilities threat actors exploited to gain initial access in our incident response cases. The nature of some of the observed attacks, however, underscores that volume is not the only consideration when evaluating risk related to a vulnerability. [![Article Zoho](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/prisma/icons/interactiveIcons/zoho.svg)](https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/) [APT Expands Attack on ManageEngine With Active Campaign Against ServiceDesk Plus](https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/) *** ** * ** *** 07 PROXYSHELL ### ProxyShell most common vulnerabilities exploited by attackers in recent Unit 42 cases ProxyShell is an attack chain that works by exploiting three vulnerabilities in Microsoft Exchange: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207. The attack chain allows attackers to perform remote code execution, which means they would be able to run malicious code on compromised systems without needing physical access to them. U.S. CISA issued an [urgent advisory](https://www.paloaltonetworks.com/blog/2022/06/average-ransomware-payment-update/?ts=markdown) against ProxyShell on August 21, 2021. Attackers actively exploited ProxyShell almost as soon as it was disclosed -- in Unit 42 cases where attackers gained initial access by exploiting a vulnerability, they used ProxyShell more than half the time. insights on ### Industries The top affected industries in our case data were finance, professional and legal services, manufacturing, healthcare, high tech, wholesale and retail. These industries accounted for 63% of our cases. Organizations within these industries store, transmit and process high volumes of monetizable sensitive information, which may attract threat actors. Attackers are often opportunistic -- in some cases, an industry may be particularly affected because, for example, organizations in that industry make widespread use of certain software with known vulnerabilities. 08 ### Top Affected Industries in 2022 ![](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/prisma/icons/interactiveIcons/animated-bar-chart.gif) *** ** * ** *** #### Finance The average ransom demand we observed in the past year for the finance industry was nearly US$8 million. However, the average payment was only about US$154,000 -- representing about 2% on average of the demand in cases where organizations decided to pay the ransom. *** ** * ** *** #### Healthcare The average ransom demand we observed in the past year for the healthcare industry was over US$1.4 million. And the average payment was US$1.2 million, representing about 90% on average of the demand in cases where organizations decided to pay the ransom. 09 ### Top 6 Recommended Best Practices The cyberthreat landscape can be overwhelming. Every day brings news of more cyberattacks and more sophisticated attack types. Some organizations may not know where to start, but our security consultants have some suggestions. Here are six of them: 1 Conduct recurring training for employees and contractors in phishing prevention and security best practices. 2 Disable any direct external RDP access by always using an enterprise-grade MFA VPN. 3 Patch internet-exposed systems as quickly as possible to prevent vulnerability exploitation. 4 Implement MFA as a security policy for all users. 5 Require all payment verification to take place outside of email, ensuring a multistep verification process. 6 Consider a credential breach detection service and/or attack surface management solution to help track vulnerable systems and potential breaches. ## Dive Deeper with Unit 42 Experts ![Unit experts](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/unit42/ir-report-2022/Jen-Miller-Osborn.jpg)![Unit experts](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/prisma/icons/interactiveIcons/ashlie-blanca.jpg)![Unit experts](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/prisma/icons/interactiveIcons/Cameron-Ero.jpg) ### Stay ahead of attacks. Ransomware and business email compromise (BEC) made up the majority of cases Unit 42 responded to over the past year. Hear expert insights on preparing for and responding to the evolving threat landscape. [Watch on demand](https://start.paloaltonetworks.com/2022-unit42-incident-response-report-webinar) ![Unit experts](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/prisma/icons/interactiveIcons/PELZER-LEEANNE.png)![Unit experts](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/prisma/icons/interactiveIcons/FARAONE-DAVID.png)![Unit experts](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/prisma/icons/interactiveIcons/Tim-Erridge.jpeg) ### Perfect your pitch. Our clients ask for help to frame risks and threats with their leadership, especially the board of directors. Join our executives for a conversation on how to use the Incident Response Report to strengthen your argument. [Watch on demand](https://register.paloaltonetworks.com/4irinsightsyourboardmustknow) ![Incident response report](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/unit42/ir-report-2022/dive-deeper-report.png) Download the 2022 Unit 42 Incident Response Threat Report {#contactus} ![Unit 42 logo](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/unit42-contained-exp/overview/panw-sml-logo-white.svg) ## Get the report Discover the top cyberattack methods and find out how to defend against them. First Name \* Last Name \* Email \* Company \* Job Level \*Job Level Job Function/Focus Area \*Job Function/Focus Area Phone \* Country \*Country Department \* StateState ProvinceProvince Zip Code \* recaptcha Please complete reCAPTCHA to enable form submission. By submitting this form, you agree to our [Terms](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown). View our [Privacy Statement.](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) Email me exclusive invites, research, offers, and news Download now #### Your report is ready for download! We hope you find this report insightful as you work towards securing your organization and preventing future attacks. [Download PDF](https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/2022-unit42-incident-response-report-final.pdf?ts=markdown) ![Your report is ready for download!](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/prisma/icons/interactiveIcons/IR-report.png) close {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2025 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language