Ransomware Attack Trends in the Financial Sector
Where the Real Risk Lies
Ransomware Attacks on Finance Trend Downward
In 2023, 191 companies from the financial sector were targeted by ransomware attacks. This number dropped to 156 in 2024. As of mid-2025, only 55 incidents have been recorded.
Ransomware Attacks on the Financial Sector
2023
2024
2025 (June)
So, what explains this notable decrease? We’ll get to that soon. But first, let’s look closer at the ransomware activity within the industry.
Subindustry Review
The financial sector is not a monolith. Ransomware actors tend to focus on specific subindustries with varying frequency.
- Financial Investment Activities accounted for the highest share of attacks at 27.6%, likely due to the direct access to funds and sensitive customer data.
- Depository Credit Intermediation (e.g., traditional banking institutions) followed closely at 23.6%, showing that wealth management and private equity are also high-value targets.
- Interestingly, Nondepository Credit Intermediation (such as leasing and lending companies) represented 13.2% of cases, slightly ahead of Credit Intermediation Services at 12.4%.
These figures suggest that attackers are diversifying their targets within the sector, although traditional banks still bear the brunt of activity.
Ransomware Attacks by Finance Subindustry
Ransomware Attacks on the Finance Sector by Country
Country Review
The country distribution shows that the biggest targets are among the richest for big payouts.
- The United States remains by far the most targeted country in financial ransomware cases, accounting for 49.6% of all incidents. This dominance is expected, given the concentration of financial infrastructure, fintech innovation, and capital in the U.S. market.
- Following the U.S., countries like India (5.5%), the United Kingdom (5.2%), and Canada (3%) also emerged as notable targets. The relatively high number of attacks in these regions reflects both their digital maturity and the attractiveness of their financial ecosystems.
- The "Others" category still makes up 26.4%, which hints at the growing global spread of ransomware beyond traditionally targeted geographies.
Threat Actor Review
The threat actor distribution shows that while the big names still matter, fragmentation is real.
- LockBit 3.0 and Clop led the chart with 14.4% and 13.7% shares respectively, both known for bold, large-scale operations.
- AlphaVM (BlackCat), KillSecurity, and RansomHub made up the mid-tier group with around 5–5.5% each.
- What’s most striking is the 26.6% share attributed to “Others”, which includes numerous emerging or short-lived groups. This reinforces the idea that while the dismantling of major groups may have reduced direct threats temporarily, the ransomware landscape is now more fragmented, unpredictable, and opportunistic than ever.
Why Are Ransomware Attacks on Finance Down?
The financial sector is among the most heavily protected industries.
Breaching these systems is significantly more challenging due to several factors:
Sensitive Data and High Stakes
The data held by financial institutions is directly tied to money and highly sensitive customer information (e.g., bank accounts, credit card numbers, social security numbers). Significant and advanced security defenses protect these high-value assets.
Stringent Regulations and Compliance
Financial institutions operate under a vast array of strict regulations, such as those from the SEC, FINRA, and various international bodies. These regulations include cybersecurity practices, data protection standards, and incident reporting requirements.
Dedicated Security Resources
Financial companies typically employ Chief Information and Security Officers (CISOs) and dedicated security teams whose primary responsibility is to safeguard their systems and processes. This includes continuous monitoring, threat intelligence, and rapid incident response capabilities.
Government and Law Enforcement Collaboration
There's often close collaboration between financial institutions and government agencies to counter cyber threats. Major ransomware groups that historically targeted financial organizations have been actively dismantled by government agencies, making direct attacks harder and less appealing for newer or less skilled groups.
The ransomware business ecosystem has changed.
As we highlighted in our 2025 Ransomware Report, the dismantling of major and well-equipped ransomware groups like LockBit and AlphV led to fragmentation within the ecosystem. While these larger and more established groups possessed the capability to target Financial Services companies, the smaller, less sophisticated groups that remain lack the same means to attack a well-protected industry.
In the absence of these larger groups, we now observe that Ransomware-as-a-Service (RaaS) tools are being sold for very low prices, typically between $100 and $1,000 per attack. This has opened the door for less experienced individuals to enter the ransomware scene. In fact, every day, new groups emerge and carry out attacks. But breaching financial defenses remains significantly more challenging. As a result, newer and less skilled groups often prefer to avoid targeting such high-security environments.
The Future of Ransomware Attacks on the Financial Sector
While direct attacks on the financial sector appear to be decreasing, this trend is not guaranteed to continue. The cyber threat landscape is highly dynamic, and attackers are quick to adapt. Smaller, less capable groups may evolve over time and become more organized.
With the increasing use of AI-powered automation tools, easier access to technical knowledge, and the growing availability of open-source exploit kits, even actors once considered “inexperienced” could gain the ability to conduct sophisticated attacks. Moreover, attackers may shift from targeting financial institutions directly to exploiting weaker links within their ecosystems.
This brings us to a critical point: third-party risk.
Finance’s Vendors Pose a Greater Risk
Even though financial institutions have made significant progress in securing their own systems, vendor-related exposures remain a major concern. External service providers, software vendors, and infrastructure partners often serve as alternative, and more vulnerable, entry points for attackers.
Therefore, while the drop in direct attacks is promising, the risk of indirect access through third parties continues to pose a serious threat to the financial sector.