Content, Content, Ransomware, Vertical markets

Top Ransomware Attack Targets: Telecom Leapfrogs Healthcare

Aerial drone view of a cellular tower in evening light.

Telecommunications overtook healthcare as the most frequently targeted sector of ransomware hijackers in the first three months of 2022, based on Cisco’s Talos unit's cybersecurity engagements.

While ransomware was the top threat during Q1 2022 as seen by Cisco’s Talent Incident Response (CTIR) team, a wider variety of malware was used by the threat actors. For example, Cisco said it did not see any ransomware family used more than once during the quarter. The group concluded that the threat landscape has become more accessible to a wide range of threat actors.

Here are some of the report’s highlights: (via Cisco Talos incident response quarterly summary)

Top threats.

  • Even though ransomware was the top threat during the quarter, it made up only 25 percent of all threats, a slightly drop from the 27 percent of the prior period.
  • This quarter also saw the first appearances of three ransomware families, including Cerber (aka CerberImposter), Entropy and Cuba.
  • Attackers frequently exploited the high-profile Log4j vulnerability.
  • Wave Browser, a supposed web browser, is a potentially unwanted program associated with adware and browser hijacking that Cisco’s incident response team has linked to subsequent malicious activity.


  • The Conti ransomware-as-a-service (RaaS) gang experienced several waves of leaks over the past quarter, disclosing the malware’s source code and other key pieces of information regarding the group. Cisco said it expects the leaks may make threat actor attribution more difficult in cases involving typical Conti TTPs.
  • An increase in APT-type activity, specifically attacks from the Iranian state-sponsored MuddyWater group and the China-based Mustang Panda actor deploying the PlugX remote access trojan.
  • Adversaries exploited the Log4j vulnerability to target VMware Horizon servers, which CTIR saw in engagements this quarter, with attackers leveraging the vulnerability to install malicious cryptocurrency miners.
  • Although Log4j has been in the wild for several months, CTIR expects attackers will consistently include it in their tactics going forward.
D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.