Data Protection Tool

Why Financial Services Ransomware Is Dangerous

Picture of Tracy Rock

Tracy Rock

Director of Marketing @ Invenio IT


financial services ransomware

It’s no secret that financial services ransomware is a legitimate threat with potentially devastating consequences. In 2021, the New York Department of Financial Services issued a statement urging financial institutions to take the risk to heart, arguing that “a major ransomware attack could cause the next great financial crisis.”

Why is there such a high level of concern about ransomware in the financial industry? The answer boils down to two factors. Namely, banks and other financial institutions have enormous attack surfaces because of extensive digital transactions, and attacks in this sector have the potential for extremely damaging outcomes. It’s important for every business involved in financial services to understand the risk of ransomware and the steps that can be taken to prevent and recover from an attack.

How Does Ransomware Work?

Before we fully explore financial services ransomware, let’s first do a quick review of this cyber threat as a whole. Ransomware is only one of many types of malware, but it is consistently ranked as one of the greatest hazards for modern businesses.

How Infections Begin

There are many types of ransomware, but they all share a universal goal: to gain access to data, encrypt the files, and demand a ransom in exchange for restoration. Ransomware often spreads laterally across a network, locking up every computer or server it can access. This is how ransomware attacks become so destructive, rendering devices inoperable and halting business operations, often for painfully long periods of time.

Without a robust system of data backups available, businesses can be sidelined for days. Meanwhile, the costs continue to rise. Each hour of downtime at a large financial institution can cost hundreds of thousands of dollars, and that doesn’t even take into account the ransom demand.

Ransomware is typically delivered in one of three ways:

  • Malicious file attachments and URLs: The vast majority of attempted ransomware attacks on financial institutions come in the form of emails, which are often disguised as legitimate communications, such as invoices or statements. When users open the attachments or click the URLs, their computers are infected with ransomware.
  • System vulnerabilities: More sophisticated ransomware strains bypass the user altogether, exploiting vulnerabilities within the operating system or applications.
  • Malicious advertising/malvertising: In this method, hackers use rich-media ads to deliver the ransomware to unsuspecting users. In many cases, the ads and ad networks are compromised by attackers on legitimate websites.

The initial stages of a ransomware attack are meant to be invisible so that businesses do not realize that they are under siege until it’s too late.

What Follows an Infection

Regardless of how the attack begins, once it initiates, a very similar set of circumstances occur. The ransomware identifies specific files, often by extension type, and encrypts them so that the owner can no longer gain access. During the process of encryption, the ransomware also installs a ransom note indicating how much money the criminal is demanding and how it should be paid.

A common feature of many modern attacks, including those on financial services, is the double extortion scheme. In these scenarios, the ransom note not only demands payment but also warns the victim that data will be leaked if it is not promptly paid. This can be especially threatening to financial institutions that store highly sensitive data for millions of customers.

What’s the Current State of Ransomware in the Financial Industry?

To get a better picture of how much of an effect ransomware has on the financial industry, let’s dig into some recent numbers. According to a 2022 report from Sophos:

  • 55% of financial services organizations were affected by at least one ransomware attack in 2021.
  • 51% of those who experienced a ransomware event said that, during the most significant attack, the cybercriminals involved successfully encrypted their data.
  • 25% of these organizations paid the ransom to get their data back.
  • Even after paying the ransom, an average of only 63% of the encrypted data was restored.
  • The average cost for a financial institution to recover from a ransomware attack was $2.10 million. This number includes the cost of downtime, devices, and any ransom paid, as well as other expenses.

To add one more frightening statistic to the mix, consider that while most businesses in the first quarter of 2022 saw a decrease in the number of ransomware attacks, financial services saw a marked escalation. According to a report from the Anti-Phishing Working Group, there was a 35% increase in the number of phishing attacks targeting financial institutions compared to the previous year.

How Serious is the Risk of Ransomware in Financial Services?

Perhaps the best way to measure the threat level of ransomware in the financial sector is by looking at some real-life examples. Over the past several years, banks and other financial institutions around the globe have fallen victim to ransomware attacks, with some experiencing more serious damage than others.

CNA Financial

In March 2021, CNA Financial, a major insurance company in the United States, was hit by a ransomware attack. The group behind the attack, later identified as Phoenix CryptoLocker, used a fake browser update to infiltrate an employee workstation. The infection then spread laterally across the company’s network.

Reports from the incident show that Phoenix CryptoLocker was able to encrypt thousands of CNA systems, including remote devices that were logged into the virtual private network (VPN). The encrypted and stolen files included sensitive customer and employee data, such as:

  • Names
  • Social security numbers
  • Medical information
  • Benefits enrollment

In total, the breach affected 75,349 individuals. However, CNA stated that none of the data was widely released or reviewed, which would have placed the victims at high risk of identity theft.

Approximately two weeks after the attack, CNA paid $40 million to restore data and network control. The company’s experience serves as a powerful reminder of how even innocuous-looking updates can in fact be malicious and cause serious harm.

Pacific City Bank

The year 2021 was a busy one for ransomware attacks on financial services. At the end of August, the notorious Ransomware-as-a-Service (RaaS) gang AvosLocker attacked the community banking service provider Pacific City Bank. They did so by disabling endpoint security so that systems could be rebooted in Windows Safe Mode. This technique is especially effective because it automatically disables the majority of security solutions, making it easier to encrypt a victim’s files.

Among the data affected during the Pacific City Bank attack were:

  • Extracted loan application forms
  • Tax return documents
  • W-2 information for client firms
  • Payroll records for client firms
  • Full names, addresses, social security numbers
  • Wage and tax details

Following the attack, Pacific City Bank alerted all clients about the breach and advised them to closely monitor their personal finances for any irregular or potentially fraudulent behavior. They also offered free credit monitoring services to clients whose data may have been accessed.

Bank Indonesia

Another RaaS attack occurred in January 2022, when Conti targeted Bank Indonesia. This served as a stark reminder that the threat of ransomware is not exclusive to private banks and financial services. Government-run institutions are equally at risk.

During the Bank Indonesia attack, Conti claimed that it had stolen around 14 GB worth of files and threatened to leak the data if the bank didn’t pay the ransom. While the leadership at Bank Indonesia did acknowledge that the attack occurred, they reassured customers that it had no impact on services.


The AON attack provides an interesting contrast with CNA. Both companies are major players in the insurance industry, yet their experiences with cyber-attacks are extremely different.

CNA suffered massive financial consequences in the wake of the Phoenix CryptoLocker attack. When AON was attacked just under a year later, they reported very little damage. In fact, AON representatives stated that the effects on the company’s operations were minimal.

Nevertheless, the attack emphasizes that financial services ransomware is not limited to banks. AON operates as both an insurer and reinsurer, which means that it insures other insurance companies. As a result, the company has access to detailed customer information for other insurance companies, making it a prime target for cyber attackers.

One final point of comparison between CNA and AON is the lack of detailed information that the latter has provided about the attack. While CNA has thoroughly discussed the specifics of the incident, AON has been somewhat tight-lipped. Some reports have described the incident as a case of ransomware, while others have simply referred to it as a cyber attack. This doesn’t imply any bad behavior on the part of AON. After all, their experience was far less noteworthy than CNA’s. It does, however, raise important questions about the effect of public transparency when responding to these kinds of events.

Why do Cyber Attackers Target Financial Services?

Cyber attackers certainly don’t limit their focus to financial services. Other industries, including education, healthcare, and manufacturing, are also at high risk. However, there are unique aspects of the financial sector that make it a popular target of attacks.

Potential for Big Money

While the threat of ransomware to financial services might be a complex issue, the reason behind it is straightforward: money. Banks and other financial institutions deal with millions, billions, or even trillions of dollars on a consistent basis. This makes them prime targets for cyber gangs whose only priority is to identify victims with vulnerabilities and big payouts.

Sensitive Data

To break the threat down a bit more, consider all of the types of personal data that you provide to financial services like your bank. At some point, you have most likely provided at least some of the following information:

  • Checking and savings account numbers
  • Credit card numbers
  • Social security numbers
  • Estate documents
  • Wills
  • Titles

This list is just a sampling of all of the data and documents that these institutions store electronically. Imagine what a bad actor could do with access to the information belonging not only to you but also to thousands of other customers.

Growth in Digital Transactions

Another key reason why organizations in the financial sector are popular targets for ransomware is because of the growing popularity of digital transactions. While most businesses perform at least some activity and sales online, financial institutions have an enormous attack surface because of the number of people who do their business online and the variety of activities that occur.

As of 2022, 78% of people in the United States prefer digital services to a traditional visit to the local bank, a number that has steadily increased over the past several years. This means a rise in the amount of information flowing online, presenting a unique challenge to financial institutions that have to take deliberate steps to properly secure digital assets.

Which Financial Services Businesses Need to Worry About Ransomware?

If you’re wondering if your financial institution needs to worry about ransomware, the short answer is yes. Every business in the financial sector should be concerned about the threat of a ransomware attack and the resulting disruption to business continuity.

Previous attacks have proven how a single attack can have a ripple effect across thousands of other businesses. This has the potential to spur a financial panic that could reverberate across the globe.

A recent Federal Reserve report also expressed serious concerns about smaller businesses, including community and regional banking organizations. While they may not be the highest-paying targets of ransomware attacks, many of them lack the resources to implement protection and response systems that can adequately cope with the rapidly evolving threats developed by powerful cyber gangs.

How Can Banks Protect Themselves From Ransomware Attacks?

At this point, the prospect of financial services ransomware may sound dire and even inevitable. However, businesses can employ practices that allow them to not only prevent but also properly respond to ransomware attacks.


It’s essential for banks and other financial institutions to put into place a carefully considered plan for ransomware prevention. This includes elements like:

  • Cybersecurity training: Phishing is one of the three most common attack vectors for ransomware. With proper training, businesses can empower employees with the skills they need to identify suspicious messages and URLs, reducing the risk of this particular form of attack.
  • File-access restrictions: Businesses sometimes give too many users access to files that they don’t need, which places a higher quantity of data at risk should an infection occur. Only grant each user access to the files that they require for their day-to-day responsibilities.
  • Firewalls, filters, and anti-malware: These systems should do the heavy lifting of preventing ransomware and other threats from entering your network. If a malicious file manages to sneak its way into your system, a strong anti-malware solution can stop the threat in its tracks.
  • Patches and updates: Outdated or unpatched systems serve as welcome mats for ransomware attacks. Even systems that are viewed as more secure are vulnerable to threats like Linux ransomware if they are not regularly patched and updated.

Financial institutions should not only use these measures to lower the risk of an attack but also regularly monitor news about newly-developed ransomware threats.


In a perfect world, businesses could prevent every attack. Unfortunately, ransomware constantly evolves, making it more sophisticated and capable of evading previously effective systems of protection. If your business does find itself in the grips of a ransomware attack, there are some important steps to take in response:

  • Avoid paying the ransom: The Federal Bureau of Investigation (FBI) strongly recommends that businesses not make ransom payments because there is no guarantee that data will be restored and it encourages further attacks. Ransom payments can also have other negative effects, including sanctions and increased cyber insurance rates.
  • Report the attack: Businesses in the financial sector are under strict regulations related to data privacy and can face severe fines if they do not report an attack when it occurs. Make sure that you quickly notify the proper authorities if your system is breached.
  • Rely on robust disaster recovery solutions: An effective business continuity and disaster recovery (BCDR) system is essential for businesses to recover from a ransomware attack. BCDR solutions with features like backup virtualization and Rapid Rollback can help minimize downtime and data loss. Smaller businesses with limited resources can implement cost-saving solutions with smaller storage capacities to achieve equal levels of protection.

Businesses in the finance industry may not be able to evade every attack, but with careful planning, they can help mitigate the effects of ransomware and data loss.

How Can Businesses Learn More About Financial Services Ransomware?

The world of financial services ransomware changes quickly and constantly, and it’s natural to suffer from information overload. If your bank or financial institution does not have an effective system of data backups and ransomware protection in place, this is the perfect time to get started. Contact the disaster recovery experts at Invenio IT to learn more about the best BCDR solutions on the market.

Get the Ultimate Cybersecurity Handbook for Employees
Invenio it logo

Join 23,000+ readers in the Data Protection Forum

Related Articles