Ransomware attacks in finance hit new high (Updated 2025)

Ransomware attacks in finance continue to increase, according to a new report from cybersecurity firm Sophos. In a survey of more than 300 IT and cybersecurity professionals in the financial services industry, 65% said they were hit by ransomware in the past year – up from 64% in 2023.

Financial services organizations have been a top target for ransomware attackers over the last few years, along with other industries like healthcare and manufacturing. The latest data suggests these attacks aren’t slowing down any time soon.

Key findings from the 2024 report:

• Highest-ever rate of ransomware attacks in the financial services industry (since Sophos began tracking the figure)
• 49% of financial services organizations hit by ransomware said their data was successfully encrypted
• 46% of finance companies managed to stop an attack before data was locked
• In 33% of attacks, the attackers also stole data in addition to encrypting it
• Compromised credentials were the most common root cause of attacks, suggesting there are still more opportunities to strengthen user training, access controls and disaster recovery solutions.

The new report reveals a continued, troubling trend for banks, investment firms and other financial services organizations, which have struggled to curb the onslaught of attacks in recent years. However, it’s not all bad news, as we illustrate below.

Silver linings

• Financial companies are getting much better at stopping attacks before data is encrypted: 46% in 2024 vs. 14% in 2023.
• Much fewer attacks are resulting in data encryption overall: only 49% in 2024, down from 81% in 2023.

How many ransomware attacks hit financial services?

Getting the total number of ransomware attacks in finance (or any industry) is difficult, because many attacks are unreported. But the Sophos report helps to shed light on how common these attacks are – and which direction they’re trending.

The chart below represents the yearly percentages of financial companies that stated they had been hit by ransomware in the previous year:

Excluding the downtick in 2021, the rate of attacks on financial services has been increasing every year. Nearly 2 out of 3 finance companies were attacked within the last year. This rising rate of attacks should be a red flag to the entire industry. For companies that are fortunate to have avoided an attack thus far, it’s likely only a matter of time before an infection slips through.

How does this compare to attacks in other industries?

The financial services industry was hit harder in 2024 than the combined average of all other industries, based on the cross-industry average. Across all industries, 59% of respondents said they were hit by ransomware last year vs. 65% in finance. Here’s what the numbers look like across other top-targeted industries.

Percentage of organizations hit by ransomware in the previous year:

In total, Sophos’s 2024 report was based on an independent survey of 5,000 IT & cybersecurity professionals for companies located across 14 countries, conducted between January to February 2024. Findings for financial services were based on a segment of 592 respondents specifically from that industry.

Why are they attacking finance?

Simply put: attackers go where the money is. More precisely, they hit the industries that are most likely to meet their ransom demands. That means hitting companies that can’t afford to lose their data or suffer an extended disruption to their operations.

Financial services is by far the most lucrative sector in the United States, according to data from IBISWorld. But if an attack compromises critical company files or its customers’ sensitive information, the consequences can be costly. Data recovery alone can be expensive, as we note below, especially if a company’s data backups are unreliable. Plus, there’s a risk of litigation, government intervention and long-term reputational damage. Add that to the cost of service outages caused by the ransomware and these attacks can easily balloon to several million dollars.

Attackers know that financial companies will be more willing to pay the ransom to restore their data back to normal. They also know that these companies have the resources to meet larger demands. This makes the industry a hot target, especially when financial institutions continue to pay up.

How do attackers infiltrate financial institutions?

Even with cybersecurity systems implemented, financial organizations remain vulnerable to a variety of methods employed by ransomware attackers.

Top causes of ransomware attacks in finance, according to Sophos:

Several of these top causes can be attributed to human error:

• Compromised credentials: These often stem from weak passwords or mishandling of the credentials (such as using the same password for multiple logins). Lax security policies can also be the core underlying reason for account vulnerabilities.
• Malicious email and phishing both rely on user deception, fooling the user to click a link or download an attachment

These figures underscore the importance of implementing routine cybersecurity training, in addition to strong security software and access controls.

Do financial organizations pay the ransom?

Yes, 18% of finance companies said they paid a ransom to get their data back after a ransomware attack. This is a significant improvement over previous years, when more than 40% of organizations said they paid up.

As a rule of thumb, federal authorities strongly advise all organizations not to pay the ransom, except as a last resort. Paying the attackers fuels the growth of the ransomware market, making it worse for everyone. Also, some attackers will gladly take the money without ever decrypting data as promised, resulting in a steep financial loss for the victim.

How much do they pay?

Among the financial organizations that reported paying a ransom to retrieve their data, the average payment was $3.3 million. 58% of ransom demands were for $1 million or more, while 38% of demands were $5+ million.

It’s important to note that many companies do not share information about their ransom payments. In many cases, it’s in their best interest not to report the attack at all. In Sophos’s research, only 90 financial organizations shared the ransom amounts they paid. $3.3 million was the mean payment amount among those 18 companies.

What about data backups?

A robust data backup solution is an essential layer of defense against ransomware. 62% of financial organizations reported that they used backups to successfully restore data after a ransomware attack.

This is an encouraging figure, but it also means that roughly 1 in 3 companies were still unable to leverage a backup (or they retrieved the data via other methods, such as by paying the ransom). This is why it’s essential for banks to use dependable backup systems, like Datto BDCR, to ensure that encrypted data can be quickly recovered.

How much are the recovery costs for financial companies?

Not surprisingly, ransomware attacks on financial institutions are extremely costly. In 2024, financial organizations shelled out an average of $2.58 million to fully recover after a ransomware attack, up from $2.23 million in 2023.

This figure does not include any ransom payments, which represent only a fraction of the total recovery costs for most organizations. Ransomware attacks can cause operational downtime, idled workers, hardware malfunction/replacement, lost revenue/growth opportunities and long-term reputational damage, all of which can be enormously costly.

In fact, even among companies that used backups to restore data, the average recovery cost reported in 2023 was still $375,000. Still, this was far cheaper than paying the ransom. Among financial institutions that paid a ransom to get their data back, the average recovery cost was $3 million.

How long did recovery take?

Financial services companies with robust backup systems are sometimes able to fully recover in less than a day. But not all organizations are so fortunate, as illustrated by the figures below.

Full recovery time reported by financial organizations:

Recent ransomware attacks on financial institutions

1) C-Edge ransomware impacts 300 banks

In 2024, nearly 300 banks in India were forced to shut down temporarily due to a ransomware attack on C-Edge Technologies, which provides banking systems to small financial services companies across the country.

What we know:

• The attack on C-Edge led to payment systems being shut down for hundreds of mostly small, rural banks across India.
• To isolate the attack, National Payments Corporation of India (NPCI) immediately blocked C-Edge from accessing all retail payments system operated by NPCI.
• The attack was linked to the RansomEXX group, which infiltrated C-Edge through a third-party provider’s misconfigured server.

Source: Reuters

2) Globalcaja

Globalcaja – a leading Spanish bank with more than 300 branches across the nation – confirmed in June 2023 that it had suffered a ransomware attack. The attackers, known as the Play ransomware group, claimed they stole data in addition to encrypting it.

What we know:

• In a statement, the bank said that computer systems at several of its locations were infected with ransomware.
• The attack forced the bank to close some locations and “temporarily limit the performance of some operations.”
• Hackers reportedly stole “private and personal confidential data,” including client and employee documents, passports and contracts.

Source: Recorded Future

3) Cl0p ransomware / MOVEit Transfer exploit

The Cl0p ransomware group used a supply-chain attack in June 2023 to infiltrate numerous U.S. organizations, including at least 10 American banks and credit unions. The attack infiltrated organizations by exploiting a vulnerability in a popular third-party file-transfer tool, MOVEit, made by Progress Software.

What we know:

• The attack affected more than 90 organizations in total.
• Data was stolen in addition to being encrypted by the ransomware. Leaked data included users’ names, addresses, birthdates, social security numbers and more.
• Some of the financial institutions affected by the attack include 1st Source Bank, First National Bankers Bank and Putnam Investments, a Boston-based investment management firm.

Source: TechCrunch

Conclusion

Ransomware attacks in finance continue to rise, with 65% of organizations saying they were hit within the last year. The attacks are increasingly disruptive and costly, even when financial organizations are able to get their data back. However, companies can significantly curb the impact of a ransomware attack with stronger disaster recovery systems and preventative measures.

In research by Sophos, the majority of reported attacks were linked back to human error, including compromised credentials, phishing attacks and malicious email. This suggests there is a lot of room for improvement in implementing user training that educates employees on safe practices for email/web and how to identify suspicious messages.

Additionally, financial service organizations can dramatically accelerate recovery time by implementing a robust data backup system. Data backups allow companies to restore encrypted files back to a clean state, thus minimizing operational disruption and eliminating the need to pay a ransom.

Don’t leave your data at risk

Strengthen your organization’s ransomware defenses with dependable data BC/DR solutions from Datto. Explore Datto backup solutions or schedule a call with one of our data protection specialists at Invenio IT for more information. You can also reach us by calling (646) 395-1170 or emailing success@invenioIT.com.