Why is ransomware in the financial industry surging?

Azeem Aleem, MD of UK and Northern Europe at Sygnia


It’s no surprise that the financial industry has always been a prime target for ransomware attacks, but over the past 12 months there has been a renaissance of ransomware breaches that has required the industry to double-down on its cybersecurity – particularly its digital forensics and incidence response. According to research, ransomware attacks have risen by 13% in the past year alone – an increase larger than the past five years combined.

With an unprecedented amount of highly valuable data – including authentication information of partners and customers – the opportunity to steal, extort and extort again is becoming far more frequent and common within the financial sector. This year alone, high-profile cybercriminal gangs like Clop, used it’s GoAnywhere attack to specifically target banks and financial services and it’s Progress Software-based MOVEit supply-chain attack also included multiple financial giants.

So what’s changed?

During the Pandemic, the global financial industry was forced to digitise the majority of its services to cater to those working from home and accelerate digital transformation plans to keep up with technology innovations in payment services, digital currencies, AI and more, that soared in demand following the crisis.

The need for speed can lead to mistakes – unpatched software, unremoved redundant legacy technology or when converging old and new technologies. All of which can create tiny backdoors of access for cybercriminals who are paying attention to undiscovered weaknesses within IT infrastructure. In fact, the financial sector experienced the second-largest share of COVID-19–related cyberattacks, behind the health sector, according to the Bank for International Settlements.

The proliferation of digital currencies has also made attacks all the more appealing to cyber criminals. More people are paying online and using cryptocurrencies than ever before. According to CoinMarketCap, there are also now approximately 22,932 cryptocurrencies in play today, with a total market capitalisation of $1.1 trillion – even the Bank of England is now considering the introduction of its own central bank digital currency (CBDC) as a way to offer more payment choices.

With a phenomenal amount of digital currencies to chase, it’s no surprise there is a glut in ransomware attack opportunities with cryptocurrency being the cybercriminals preferred payment method.  Earlier this year, Chainalysis reported that crypto payments to ransomware attackers hit $449.1 million in the first half of 2023, up $175.8 million from the same period in 2022.

The types of threats are up levelling too. While Business Email Compromise (BEC) attacks, where threat actors imitate c-level executives to trick employees into transferring large sums of money, remain popular – the delivery method is changing. Earlier this year, known threat actors, Casbaneiro, launched an attack against the financial sector in Latin America by changing the way in which it delivered its attack from emails equipped with a malicious PDF file to a legitimate HTML file that led to the installation of a Trojan horse.

Threat actors are continuously looking for ways to maximise their efforts. Once satisfied by stealing and encrypting data in a bid to double or triple extort, they are now threatening to take over entire systems and networks – knowing a financial crisis could impact livelihoods, whole markets and economies.

The notorious RagnorLocker ransomware gang snuck under the radar of more than 52 entities across 10 critical infrastructure sectors, including those involved in financial services, by using a particularly unique method: using a remote administration tool, Remote Manipulator System (RMS), as a ‘Command and Control’ mechanism to bypass security controls. The gang used another remote access tool, AnyDesk, to extract terabytes of sensitive data that was then held to ransom, not once but several times, for anywhere between a reported range of $5 – $70 million.

Enlisting the help of AI

The proliferation of advanced, publicly available AI tools, such as ChatGPT, to aid and automate customer services in the financial sector, is growing. Unfortunately, these tools are also introducing new risks by providing threat actors with the ability to scale and speed up their ransomware attacks – including crossing any potential language barriers. For example, lesser-skilled threat actors, particularly those that are not fluent in the English language, can use ChatGPT-like tools to launch more complex phishing campaigns. We have seen evidence of hyper-realistic deep fakes (audio and video) being used to lure recipients to willingly submit credentials or send money to a malicious actor by impersonating the CEO.

The lack of AI regulation is deeply problematic, since the emergence of generative AI could unknowingly provide additional access to the network, lead to the spread of disinformation and damage customer trust within the financial industry. Until we can create specific policies that enforce stringent controls around AI adoption – we need to approach such technologies with caution.

Strengthening cyber resilience with effective incidence response planning

Financial organisations have a greater responsibility to carefully assess any new technology before it is introduced to the network and in tandem, regularly update their security policies, permissions and controls to make it harder for threat actors to attack. This is where cyber resilience and incidence response readiness is key. Should an attack occur, they have the means to investigate, contain, remediate and recover quickly against the attack.

Incidence response readiness can effectively reduce the length of the attack. It enables financial organisations to run digital forensics to pin point the source of the attack, contain, respond and remediate – it should be viewed as a preventive method that’s equal in importance to keeping the lights on.

To help in creating a robust proactive incidence response plan, the financial sector must seek highly skilled teams that are well versed in investigating and protecting against major ransomware, corporate espionage, financial theft and even nation-state campaigns. Cyber threat negotiation experts are a critical part of this plan because they can offer the opportunity to delay the ransom and feedback critical information to your investigations team to map specific behaviours of the threat actor.

The negotiation team can support in-house security teams by uncovering the motives of the threat actor and the tools, tactics, and procedures (TTPs) that the attacker is using, in order to minimise the breach exposure time (BET) and then help to remediate and recover as a way to break the cycle of threats.

Considerations for incidence response planning include:

  • Reviewing your security stack from the ground up or enlisting the help of third party security experts who can see what you may not be seeing i.e what must be protected, and where your strengths and weaknesses lie to determine vulnerabilities.
  • Conducting an end-to-end evaluation of your incidence response approach, including mapping the crisis management discussion, developing the investigation process, containment, remediations, recovery and negotiation.
  • Simulating attacks against the network to stress test your environment and conducting regular table-top exercises so that teams understand the lines of communication to make a faster recovery.
  • Actively implementing patch management for endpoints, servers, and any new applications.
  • Applying network segmentation and creating protocols for separating the backup environment from the network.
  • Creating an incidence response playbook and communications plan that prepares all employees on what to do in the case of an attack, as well as the roles, responsibilities and expectations of heads of departments.


Explore more