2022 SonicWall Cyber Threat Report

Cybercrime has evolved, making it harder for defenders to protect against, detect and stop attacks from entering their networks. As the pace of cyberattacks continues to increase — and the ways threat actors breach and infiltrate systems continue to become more targeted and evasive — our future will increasingly belong to the proactive.

2022 SonicWall
Cyber Threat Report

Over the past 12 months, SonicWall Capture Labs threat researchers have diligently tracked the meteoric rise in cyberattacks, as well as trends and activity across all threat vectors, including:

  • Ransomware
  • Cryptojacking
  • Encrypted threats
  • IoT malware
  • Zero-day attacks and more

These exclusive findings are now available via the 2022 SonicWall Cyber Threat Report, which ensures SMBs, government agencies, enterprises and other organizations have the actionable threat intelligence needed to combat the rising tide of cybercrime.

Get the Free Report


Key Findings

  • Malware

    Total malware dipped just 4% in 2021, a turn from the 22% mid-year decline.

    Read More

    Malware May Be Headed for a Rebound

    Malware was slightly down again in 2021, marking both a third-straight year of decrease as well as a seven-year low. But while the overall trend is still positive, it’s going in the wrong direction.

    An uptick in attacks during the second half of 2021 almost completely erased the 22% drop in malware that researchers had recorded at the midyear point, bringing the total decrease for 2021 to just 4% — less than a tenth of the 43% decrease logged in 2020.

  • Ransomware

    Ransomware volume increased 105% year over year and is up 232% since 2019.

    Read More

    Ransomware's Savage Reign

    In 2021, SonicWall threat researchers recorded 623.3 million ransomware attacks globally — an average of 2,170 attempts per customer. This total marked a 105% increase over 2020 and more than triple the number seen in 2019.

    The U.S. and the U.K., where attack volume jumped 98% and 227% respectively, suffered the brunt of the spike.

  • ‘Never-Before-Seen’ Malware

    RTDMI™ discovered 442,151 never-before-seen variants in 2021, a 65% spike.

    Read More


    2021 was another banner year for SonicWall’s patented Real-Time Deep Memory Inspection (RTDMI) technology. In Q4, RTDMI found more never-before-seen malware variants than in any quarter since its introduction in 2018.

    A total of 442,151 never-before-seen malware variants were identified in 2021, a 65% increase year-over-year and an average of 1,211 per day.

  • IoT Malware

    Global volume rose 6% in 2021, totaling 60.1 million hits by year’s end.

    Read More


    IoT malware volume rose 6% in 2021, totaling 60.1 million hits by year’s end. While this isn’t good news, it’s at least better than it has been: In 2019 and 2020, IoT malware volume rose 218% and 66%, respectively.

    With no corresponding slowdown in the proliferation of connected devices, this suggests that attack volumes may be leveling off.

  • Cryptojacking

    Volume reached 97.1 million in 2021, the most SonicWall has ever recorded.

    Read More


    Cryptojacking continued to surge last year, rising 19% globally to 97.1 million — the most attacks that SonicWall Capture Labs threat researchers have ever recorded in a single year. This increase was reflected in every region except Asia, where attack volume dropped 37%

  • Encrypted Threats

    Malware sent via HTTPs increased 167% year-over-year.

    Read More


    Encrypted threats increased sharply in 2021, climbing to 10.1 million attacks — a 167% increase year-over-year. In August, the number of encrypted attacks broke the 1 million mark for the first time, then continued to rise, reaching nearly 2.5 million by year’s end.

research and insights

How we source our data

Intelligence for the 2022 SonicWall Cyber Threat Report was sourced from real-world data gathered by the SonicWall Capture Threat Network, which securely monitors and collects information from global devices including:

  • 1.1m+

    Global Sensors
  • 215+

    Countries & Territories
  • 28m+

    Malware Attacks
    Blocked Per Day
  • 24x7x365

  • <24hrs

    Threat Response
  • 140k+

    Malware Samples
    Collected Daily

2021 in Review

  • MARCH 28

    Australian broadcaster Channel Nine is hit by a cyber attack taking the channel temporarily off air

  • MAY 7

    Colonial Pipeline shuts down due to ransomware attack

  • MAY 30

    Chemical distribution company Brenntag pays a $4.4 million ransom in Bitcoin to the DarkSide ransomware gang

  • JUNE 14

    A Cognyte database of more than 5 billion records collected from a range of previous data incidents is exposed on the web without a password or any other authentication required to access it

  • JULY 2

    Kaseya becomes the victim of a supply chain ransomware attack through leveraging a vulnerability in Kaseya's VSA software

  • AUGUST 12

    Consulting giant Accenture is breached by ransomware threat actors


    MediaMarkt falls victim to a ransomware demand of $240 million attributed to the Hive ransomware group