Ransomware in Financial Services: 2026 Insights & Cybersecurity Guide

Key insights for 2026

Here are some of the key takeaways from Sophos’s most recent survey of more than 360 IT and cybersecurity professionals in the financial services sector:  

• Record-high median ransom demands of $3 million, making financial services the most heavily targeted sector for large payouts.
• 59% of financial services organizations hit by ransomware said their data was successfully encrypted, up from 49% a year prior.
• 38% of finance companies managed to stop an attack before data was locked.
• In 31% of financial services cyberattacks involving ransomware, the attackers also stole data in addition to encrypting it.
• Exploited vulnerabilities were the most common root technical cause of attacks (40%), suggesting a critical need to address security gaps.

The new report shows a continued, troubling trend for banks, investment firms and other financial services organizations. However, the findings also reveal some bright spots, as we outline below.

Silver linings

• Recovery costs plummeted by 33%: The average cost to rectify an attack (excluding the ransom) fell to $1.74 million, the lowest point in three years.
• Downtime is shrinking: 57% of financial organizations fully recovered within a week, up from 46%.
• Firms are resisting demands: Despite initial ransom demands surging by 50%, the median amount financial organizations actually paid only rose by 5%.
• Data recovery is improving. 97% of financial providers that had data encrypted were ultimately able to get it back.

Rate of ransomware in financial services by year

Determining the exact prevalence of ransomware in financial services is difficult, because banks don’t report every attack. As such, Sophos no longer reports the overall industry rate of attacks. However, it does publish the rate of data encryption from ransomware among survey respondents, which hit 59% last year for financial companies:

*Financial services organizations that reported their data was encrypted by ransomware. 

How does this compare to attacks in other industries?

In terms of data encryption from ransomware, the financial services industry was among the hardest hit in 2025 at 59%, above the 50% average rate across all industries.

Percentage of organizations, by industry, that reported data encryption from ransomware in the previous year:

In total, Sophos’s 2025 cross-industry report was based on an independent survey of 3,400 IT & cybersecurity professionals for companies located across 17 countries, conducted between January and March 2025. Findings for financial services were based on a segment of 360 respondents specifically from that industry.

For deeper analysis, compare by industry:

• Ransomware attacks in healthcare
• Ransomware attacks in manufacturing

Why are they attacking finance?

Simply put: attackers go where the money is. More precisely, they hit the industries that are most likely to meet their ransom demands. That means going after companies that can’t afford to lose their data or suffer an extended disruption to their operations.

Financial services is by far the most lucrative sector in the United States, according to data from IBISWorld. But if an attack compromises critical files or its customers’ sensitive information, the consequences can be costly. Data recovery alone can be expensive, as we note below, especially if a company’s data backups are unreliable. Plus, there’s a risk of litigation, government intervention and long-term reputational damage. Add that to the cost of service outages caused by the ransomware and these attacks can easily balloon to several million dollars.

Attackers know that financial companies will be more willing to pay the ransom to restore their data back to normal. They also know that these companies have the resources to meet larger demands. This makes the industry a hot target, especially when financial institutions continue to pay up.

What are the root causes of successful cyberattacks on banks?

In its 2025 ransomware report, Sophos identified the top 2 operational root causes of bank ransomware attacks as follows:

• 66% of respondents in financial services said the root cause was lack of (or poor-quality) protection,” such as not having adequate cybersecurity systems.
• 67% of respondents in financial services also cited security gaps (known or unknown) – i.e. a weakness in their defenses that they were not aware of.

These statistics point to the growing sophistication of attacks – and the inability for banks to keep up with the evolving threat landscape. However, ransomware attackers also infiltrate financial institutions in several distinct ways.

Sophos reported the top technical causes of ransomware attacks in finance as:

Several of these top causes ultimately fall under human error:

• Compromised credentials: These often stem from weak passwords or mishandling of the credentials (such as using the same password for multiple logins). Lax security policies can also be the core underlying reason for account vulnerabilities.
• Malicious email and phishing both rely on user deception, fooling the user to click a link or download an attachment

These figures underscore the importance of implementing routine cybersecurity training, in addition to strong security software and access controls.

Do financial organizations pay the ransom?

Yes, 67% of finance companies said they paid a ransom to get their data back after a ransomware attack – up from 51% the year before.

As a rule of thumb, federal authorities strongly advise all organizations not to pay the ransom, except as a last resort. Paying the attackers fuels the growth of the ransomware market, making it worse for everyone. Also, some attackers will gladly take the money without ever decrypting data as promised, resulting in a steep financial loss for the victim.

How much do banks pay their attackers?

Among the financial organizations that reported paying a ransom to retrieve their data, the average payment was $3 – a 50% increase from the previous year. 32% of ransom demands were for $1 million or more, while 36% of demands were $5+ million.

It’s important to note that many companies do not share information about their ransom payments. In many cases, it’s in their best interest not to report the attack at all. In Sophos’s survey, only 147 financial organizations were willing to share the ransom amounts they paid. $3 million was the median payment amount among those companies.

What about data backups?

Backups are an essential layer of data protection for financial services firms, ensuring they can restore systems that have been encrypted by ransomware. 44% of financial organizations said they used backups to successfully restore data after a ransomware attack, down from 62% in 2024.

This is an encouraging figure, but it also means that a significant percentage of banks were unable to restore their data from a backup (or they retrieved the data via other methods, such as by paying the ransom). This is why it’s critical for banks to use dependable disaster recovery systems, like Datto BDCR, to ensure that encrypted data can be quickly recovered.

How much are the recovery costs for financial companies?

Not surprisingly, ransomware attacks on financial institutions are extremely costly. In 2025, financial organizations shelled out an average of $1.74 million to fully recover after a ransomware attack, down from $2.58 million in 2024.

This figure does not include any ransom payments, which represent only a fraction of the total recovery costs for most organizations. Ransomware attacks can cause operational downtime, idled workers, hardware malfunction/replacement, lost revenue/growth opportunities and long-term reputational damage, all of which can be enormously costly.

How long did recovery take?

Financial services companies with robust backup systems are sometimes able to fully recover in less than a day. But not all organizations are so fortunate, as illustrated by the figures below. 

Full recovery time reported by financial organizations:

Recent financial services cyberattacks

1) The Marquis Software Supply Chain Attack

In August 2025, Marquis Software—a vendor that provides data analytics and communication software to financial institutions—suffered a major cyberattack, which affected at least 74 banks and credit unions across the United States.

What we know:

• While initial reports were unclear on victim counts, regulatory filings and researchers in March 2026 revealed that the breach exposed the personal and financial information of between 672,000 and 1.35 million people.
• Data was also stolen during the breach, including highly sensitive personal information like Social Security numbers, Taxpayer Identification Numbers, and financial account details.
• While no ransomware gang took public credit for the attack, a breach notification letter from Iowa-based Community 1st Credit Union indicated that Marquis Software paid a ransom to the attackers.

Source: Recorded Future News

2) Fog ransomware hits Asian bank system

In May 2025, a ransomware attack on an unnamed Asian financial institution revealed that attackers were using Fog ransomware to exploit a legitimate employee monitoring system known as Syteca (formerly Ekran), according to researchers at Symantec.

What we know:

• While several details of the incident are unknown, such as the name of the financial institution, researchers say the attack methods were something they had never before seen in a ransomware attack.
• Researchers believe that Syteca was used to harvest users’ credentials for about 2 weeks prior to deploying the ransomware, as the software is ordinarily used by companies to monitor employees’ keystrokes and other on-screen activity.
• Attackers also leveraged other open-source penetration-testing tools, including GC2, Adaptix and Stowaways – which adds to the unusual, sophisticated nature of the attack. 

Source: Symantec

3) C-Edge ransomware impacts 300 banks

In 2024, nearly 300 banks in India were forced to shut down temporarily due to a ransomware attack on C-Edge Technologies, which provides banking systems to small financial services companies across the country.

What we know:

• The attack on C-Edge led to payment systems being shut down for hundreds of mostly small, rural banks across India.
• To isolate the attack, National Payments Corporation of India (NPCI) immediately blocked C-Edge from accessing all retail payment systems operated by NPCI.
• The attack was linked to the RansomEXX group, which infiltrated C-Edge through a third-party provider’s misconfigured server.

Source: Reuters

4) Globalcaja takes down large Spanish bank

Globalcaja – a leading Spanish bank with more than 300 branches across the nation – confirmed in June 2023 that it had suffered a ransomware attack. The attackers, known as the Play ransomware group, claimed they stole data in addition to encrypting it.

What we know:

• In a statement, the bank said that computer systems at several of its locations were infected with ransomware.
• The attack forced the bank to close some locations and “temporarily limit the performance of some operations.”
• Hackers reportedly stole “private and personal confidential data,” including client and employee documents, passports and contracts.

Source: Recorded Future

What is the best protection against bank ransomware?

Defending against bank ransomware requires a multilayered security strategy that not only prevents the malware from taking root but also enables banks to rapidly recover any infected data from backups. Essential components of this security strategy include:

1) Cybersecurity solution: Financial institutions of any size require comprehensive cybersecurity protection via a managed threat detection and response solution such as RocketCyber MDR. (See RocketCyber pricing.) This provides robust, active response to emerging threats, backed by human analysis.

2) Data backup: Banks must deploy an advanced data backup solution that enables round-the-clock backups and fast recovery of infected data via an array of restore options, from file/folder-level restore to full system virtualization and bare metal recovery. (Our pick: Datto SIRIS BCDR.)

3) Employee training: All bank employees should be thoroughly trained on the tactics used by ransomware attackers and how to spot them, such as phishing emails. A cybersecurity awareness platform like BullPhish ID is strongly recommended to automate this training at all levels of the organization and to test users with realistic phishing simulations. (Request BullPhish ID pricing.)

Conclusion

Ransomware attacks in financial services are both common and costly, with 59% of surveyed organizations saying their data was encrypted by ransomware within the last year. However, companies can significantly curb the impact of a ransomware attack with stronger disaster recovery systems and preventative measures.

In research by Sophos, the majority of reported attacks were linked to human error, including compromised credentials, phishing attacks and malicious email. This suggests there is a lot of room for improvement in implementing user training that educates employees on safe practices for email/web and how to identify suspicious messages.

Additionally, financial service organizations can dramatically accelerate recovery time by implementing a robust data backup system. Data backups allow companies to restore encrypted files back to a clean state, thus minimizing operational disruption and eliminating the need to pay a ransom.

Don’t leave your data at risk

Strengthen your bank’s ransomware defenses with dependable data BC/DR solutions from Datto. Explore Datto backup solutions or schedule a call with one of our data protection specialists at Invenio IT for more information. You can also reach us by calling (646) 395-1170 or emailing success@invenioIT.com.