Data Protection Tool

Ransomware attacks in finance hit new high (2024 report)

Picture of Dale Shulmistra

Dale Shulmistra

Data Protection Specialist @ Invenio IT


Ransomware Attacks

Ransomware attacks in finance continue to increase, according to a new report from cybersecurity firm Sophos. In a survey of more than 300 IT and cybersecurity professionals in the financial services industry, 64% said they were hit by ransomware in the past year – a significant jump from 55% in 2022.

Financial services organizations have been a top target for ransomware attackers over the last few years, along with other industries like healthcare and manufacturing. The latest data suggests these attacks aren’t slowing down any time soon.

Key findings from the 2023 report:

  • Highest-ever rate of ransomware attacks in the finance industry (since Sophos began tracking the figure)
  • 81% of financial services organizations hit by ransomware said their data was successfully encrypted
  • Only 14% of finance companies managed to stop an attack before data was locked
  • In 25% of attacks, the attackers also stole data in addition to encrypting it

The new report is a troubling sign for banks, investment firms and other financial services organizations, which have struggled to curb the onslaught of attacks in recent years.

However, the findings indicate that attackers are not always using more sophisticated methods to deliver ransomware. Human error remains a leading root cause of many attacks, suggesting there are opportunities to eliminate common vulnerabilities with stronger user training and disaster recovery solutions.

How many ransomware attacks hit financial services?

Getting the total number of ransomware attacks in finance (or any industry) is difficult, because many attacks are unreported. But the Sophos report helps to shed light on how common these attacks are – and which direction they’re trending.

This chart below represents the yearly percentages of financial companies that stated they had been hit by ransomware in the previous year:

2023 2022 2021 2020
64% 55% 34% 48%

Excluding the downtick in 2021, the rate of attacks on financial services has been increasing every year. Nearly 2 out of 3 finance companies were attacked within the last year. This rising rate of attacks should be a red flag to the entire industry. For companies that are fortunate to have avoided an attack thus far, it’s likely only a matter of time before an infection slips through.

How does this compare to attacks in other industries?

Despite the alarming rate of attacks, the financial services industry is actually doing slightly better than the cross-industry average. Across all industries, 66% of respondents said they were hit by ransomware last year vs. 64% in finance. Here’s what the numbers look like across other top-targeted industries.

Percentage of organizations hit by ransomware in the previous year:

Higher education 79%
Construction 71%
Federal government 70%
Media & Entertainment 70%
Local/state government 69%
Retail 69%
Financial services 64%
Healthcare 60%
Manufacturing 56%

In total, Sophos’s 2023 report was based on an independent survey of 3,000 IT & cybersecurity professionals for companies located across 14 countries, conducted between January to March 2023. Findings for financial services were based on a segment of 336 respondents specifically from that industry.

Why are they attacking finance?

Simply put: attackers go where the money is. More precisely, they hit the industries that are most likely to meet their ransom demands. That means hitting companies that can’t afford to lose their data or suffer an extended disruption to their operations.

Financial services is by far the most lucrative sector in the United States, according to data from IBISWorld. But if an attack compromises critical company files or its customers’ sensitive information, the consequences can be costly. Data recovery alone can be expensive, as we note below, especially if a company’s data backups are unreliable. Plus, there’s a risk of litigation, government intervention and long-term reputational damage. Add that to the cost of service outages caused by the ransomware and these attacks can easily balloon to several million dollars.

Attackers know that financial companies will be more willing to pay the ransom to restore their data back to normal. They also know that these companies have the resources to meet larger demands. This makes the industry a hot target, especially when financial institutions continue to pay up.

Feds warn financial industry about Dridex ransomware

Over the last few years, Cybersecurity experts have warned the finance sector about the danger of select types of ransomware and financial Trojans, such as Dridex. In 2020, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) issued a statement to financial institutions about Dridex, stating:

“The Dridex malware, and its various iterations, has the capability to impact confidentiality of customer data and availability of data and systems for business processes … The primary threat to financial activity is the Dridex’s ability to infiltrate browsers, detect access to online banking applications and websites, and inject malware or keylogging software, via API hooking, to steal customer login information … We expect actors using Dridex malware and its derivatives to continue targeting the financial services sector, including both financial institutions and customers.”

How do attackers infiltrate financial institutions?

Even with cybersecurity systems implemented, financial organizations remain vulnerable to a variety of methods employed by ransomware attackers. Social engineering is the most common root cause, as it preys on human error to infiltrate organizations’ networks and file systems.

Top causes of ransomware attacks in finance, according to Sophos:

Exploited vulnerability 40%
Compromised credentials 23%
Malicious email 19%
Phishing 13%
Brute force attack 3%

At first glance, the most common root cause of attacks would appear to be exploited vulnerabilities. However, the next three causes on the list can all be attributed to human error:

  • Compromised credentials, for example, usually stem from weak passwords or mishandling of the credentials (such as using the same password for multiple logins).
  • Malicious email and phishing both rely on user deception, fooling the user to click a link or download an attachment.
  • Added together, 55% of financial companies said ransomware used one of these three methods.

Do financial organizations pay the ransom?

Yes, 43% of companies said they paid a ransom to get their data back after a ransomware attack. According to Sophos, this is only slightly better than the cross-sector figure of 46%. This indicates that financial institutions are largely just as willing as most other organizations to pay their attackers if it means restoring data faster.

As a rule of thumb, federal authorities strongly advise all organizations not to pay the ransom, except as a last resort. Paying the attackers fuels the growth of the ransomware market, making it worse for everyone. Also, some attackers will gladly take the money without ever decrypting data as promised, resulting in a steep financial loss for the victim.

How much do they pay?

Financial organizations paid an average of $1.6 million to their ransomware attackers in an attempt to retrieve their data. This represents a six-fold increase over the previous year’s average of $272,655. Additionally, the amount is more than $100,000 greater than the average amount paid by companies across all industries.

It’s important to note that many companies do not share information about their ransom payments. In many cases, it’s in their best interest not to report the attack at all. In Sophos’s research, only 18 financial organizations shared the ransom amounts they paid. $1.6 million was the average amount among those 18 companies.

What about data backups?

A robust data backup solution is an essential layer of defense against ransomware. However, not all companies are able to successfully restore their backups after a ransom attack, due to limitations in the backup system or other factors.

69% of financial organizations reported that they used backups to restore data after a ransomware attack. This is an encouraging figure, but it also means that more than 30% of companies were still unable to leverage a backup (or they retrieved the data via other methods, such as by paying the ransom).

How much are the recovery costs for financial companies?

Not surprisingly, ransomware attacks cost financial institutions more than most other industries. In 2023, financial organizations shelled out an average of $2.23 million to fully recover after a ransomware attack.

This figure does not include any ransom payments, which represent only a fraction of the total recovery costs for most organizations. Ransomware attacks can cause operational downtime, idled workers, hardware malfunction/replacement, lost revenue/growth opportunities and long-term reputational damage, all of which can be enormously costly.

In fact, even among companies that used backups to restore data, the average recovery cost was still $375,000. Still, this was far cheaper than paying the ransom. Among financial institutions that paid a ransom to get their data back, the average recovery cost was $3 million.

What was the impact on business/revenue?

80% of surveyed financial organizations said that ransomware hurt their business, with 46% saying they “lost a lot of revenue.” This is not surprising given the widespread disruption that ransomware can cause – and the time it takes for most companies to recover.

Financial services companies with robust backup systems are sometimes able to fully recover in less than a day. But not all organizations are so fortunate, as illustrated by the figures below.

Full recovery time reported by financial organizations:

Less than a day 11%
Up to a week 36%
Up to 1 month 31%
1-3 months 19%
3-6 months 3%

Recent ransomware attacks on financial institutions

1) Globalcaja

Globalcaja – a leading Spanish bank with more than 300 branches across the nation – confirmed in June 2023 that it had suffered a ransomware attack. The attackers, known as the Play ransomware group, claimed they stole data in addition to encrypting it.

What we know:

  • In a statement, the bank said that computer systems at several of its locations were infected with ransomware.
  • The attack forced the bank to close some locations and “temporarily limit the performance of some operations.”
  • Hackers reportedly stole “private and personal confidential data,” including client and employee documents, passports and contracts.

Source: Recorded Future

2) Cl0p ransomware / MOVEit Transfer exploit

The Cl0p ransomware group used a supply-chain attack in June 2023 to infiltrate numerous U.S. organizations, including at least 10 American banks and credit unions. The attack infiltrated organizations by exploiting a vulnerability in a popular third-party file-transfer tool, MOVEit, made by Progress Software.

What we know:

  • The attack affected more than 90 organizations in total.
  • Data was stolen in addition to being encrypted by the ransomware. Leaked data included users’ names, addresses, birthdates, social security numbers and more.
  • Some of the financial institutions affected by the attack include 1st Source Bank, First National Bankers Bank and Putnam Investments, a Boston-based investment management firm.

Source: TechCrunch


Ransomware attacks in finance continue to rise, with 64% of organizations saying they were hit within the last year. The attacks are increasingly disruptive and costly, even when financial organizations are able to get their data back. However, companies can significantly curb the impact of a ransomware attack with stronger disaster recovery systems and preventative measures.

In research by Sophos, 55% of reported attacks were caused by human error due to compromised credentials, phishing or malicious email. This suggests there is a lot of room for improvement in implementing user training that educates employees on safe practices for email/web and how to identify suspicious messages.

Additionally, financial service organizations can dramatically accelerate recovery time by implementing a robust data backup system. Data backups allow companies to restore encrypted files back to a clean state, thus minimizing operational disruption and eliminating the need to pay a ransom.

Don’t leave your data at risk

Strengthen your organization’s ransomware defenses with dependable data backup solutions from Datto. Request a free demo or speak to our experts at Invenio IT today. Call (646) 395-1170 or email

Get the Ultimate Cybersecurity Handbook for Employees
Invenio it logo

Join 23,000+ readers in the Data Protection Forum

Related Articles