The financial sector emerged as a prime target for cybercriminals, with Flashpoint analysts documenting 406 publicly disclosed ransomware attacks-accounting for seven percent of all known ransomware victim listings in that period.
This persistent onslaught underscores the sector’s enduring allure for threat actors, driven by the high value and criticality of financial institutions’ operations, their rich troves of transactional records, and volumes of confidential customer data.
While ransomware incidents continue to grab headlines, analysts warn that these represent only a fraction of the threat landscape.
The financial industry is increasingly contending with the growing sophistication of Advanced Persistent Threat (APT) groups, third-party compromises, the bustling black market for initial access credentials, insider threats, and the rapid evolution of fraud techniques such as deepfakes and impersonation.
The high stakes and interconnectedness of financial entities with broader economic infrastructure only amplify the potential fallout of such incidents, both for the organizations directly targeted and for their extended network of clients and partners.
Prolific Threat Actors Emerge as Top Adversaries
Several ransomware and financially-motivated groups have risen to prominence over the past year. RansomHub, a newcomer to the ransomware-as-a-service (RaaS) ecosystem since early 2024, rapidly became the second-most active such group, targeting 38 financial organizations.
Their tactics leverage phishing campaigns and exploits of known vulnerabilities, and they have also directed attacks at sectors like healthcare.
Akira, active since March 2023, executed 34 attacks on financial organizations within the assessment period.
Possibly linked to remnants of the Conti ransomware group, Akira favors initial access routes such as compromised credentials, VPN, and RDP vulnerabilities, often employing double extortion models-exfiltrating data prior to encryption and demanding ransom for both decryption and non-disclosure.
LockBit, a longstanding RaaS threat since 2019, claimed 29 financial sector victims.
Its operators utilize a variety of entry points, from phishing and vulnerability exploitation to compromised remote services.
LockBit notably asserted it had infiltrated the US Federal Reserve in June 2024, posting data purportedly exfiltrated from the institution, though subsequent analysis attributed the breach to Evolve Bank & Trust instead.
Other major actors include FIN7, which has pilfered vast sums through attacks on interbank transfer systems, ATM networks, and POS terminals using sophisticated phishing and infrastructure compromise.
Scattered Spider, notorious for SMS phishing and inventive credential theft via fake SSO pages; and North Korean-backed Lazarus Group, targeting both cryptocurrency exchanges and conventional financial institutions with spear-phishing, malware-laden image files, and watering-hole attacks.
Expanding Attack Vectors and New Forms of Fraud
Beyond direct system breaches, financial institutions have faced mounting risks from third-party and supply chain compromises.
High-profile examples, such as Clop ransomware’s exploitation of the MOVEit vulnerability in late 2024, demonstrate the systemic risk posed by vulnerable vendors.
Meanwhile, initial access brokers (IABs) are thriving, with 6,406 forum posts related to financial sector access listings recorded by Flashpoint in the past year, offering compromised credentials and entry points to wider criminal networks.
Insider threat remains a persistent concern, with messaging platforms like Telegram emerging as key forums for recruiting insiders willing to facilitate unauthorized data access or compromise systems.
The proliferation of AI-driven fraud techniques, particularly deepfakes, marks a concerning trend: threat actors are leveraging increasingly realistic synthetic audio and video to bypass identity verification and commit fraud.
In the past twelve months, analysts observed over 1,200 posts discussing impersonation strategies within finance-focused Telegram channels.
As financial institutions continue to modernize and integrate digital solutions, Flashpoint’s analysis suggests their exposure to a widening array of cyber threats is likely to persist.
Comprehensive intelligence and resilient security strategies remain essential as the sector remains firmly in the crosshairs of some of the world’s most sophisticated cybercriminal groups.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
