M Trends 2021

M-Trends 2021: Cyber Security Insights

Combining the best of Mandiant cyber security expertise and threat intelligence with statistics and analysis from global frontline investigations, M-Trends is an industry-leading publication packed with security insights.


The 12th edition of M-Trends released this April outlines critical details on trending attacker behaviors to help security teams with strategy, planning and investment over the coming months. Some of the 2021 findings include the:

  • Evolution of ransomware
  • Rise of Internal incident detections
  • First drop in global median dwell time to below 30 days

Ransomware is Evolving

Mandiant experts have reported that there were twice as many ransomware-involved investigations in 2020 than 2019. Research has revealed a distinct change in ransomware attacks, such that actors:

  • Deploy ransomware encryptors
  • Threaten to make stolen confidential data public via a data breach
  • Publish stolen data on a “name-and-shame” website
Ransomware Chart

Mandiant has labeled this activity “multifaceted extortion,” and it continues to be a leading concern for organizations as threat actors evolve their technology and adapt their tactics in response to the changing security landscape.

“Multifaceted extortion and ransomware are the most prevalent threats to organizations. In this year’s report, direct financial gain was the likely motive for at least 36% of the intrusions we investigated. Data theft and reselling of unauthorized access to victim organizations remain high as multifaceted extortion and ransomware actors have trended away from purely opportunistic campaigns in favor of targeting organizations that are more likely to pay large extortion demands. Given this surge, organizations must take proactive action to mitigate the potential impact.” – Charles Carmakal, Senior Vice President and Chief Technology Officer, Mandiant

Global Dwell Time Improves

Since 2011, Mandiant has been observing global median dwell time trends, reporting a drop to below one month for the first time in 2020, as organizations identify incidents almost twice as quickly as they did the previous year. Mandiant has attributed this reduction to:

  • The continued development and improvement of organizational detection and response capabilities
  • An evolution of the threat landscape
Global Dwell Times

The proportion of investigations involving ransomware rose to 25% in 2020, from 14% in 2019, the majority of which (78%) had dwell times of 30 days or less.

Dwell Time Investigation

Internal Detections on the Rise

This year’s M-Trends notes a 12% increase in internal incident detection against the previous year. Mandiant experts observed organizations independently detecting most of their own incidents, which is in line with the overall trend observed over the last five years.

Detection Source

Regionally, 61% of detections in the Americas resulted from internal incidents, with EMEA and APAC closely aligned at 53% and 52%, respectively. The report also shows that APAC and EMEA organizations received proportionally more notifications of compromise from external entities than those in North America.

The full 2021 M-Trends report contains additional findings including fresh detail on UNC2452, changes to targeted industries, pandemic-related threats and case studies.