Meeting the demands of modern digital-oriented customers has resulted in widespread digital transformation initiatives in the financial services industry. The new digital ecosystem harnesses microservices-based financial apps, mobile banking, cloud computing, and artificial intelligence. These activities alone increase cybersecurity risks, but those risks are amplified due to the nature of financial services.

Like healthcare, financial service providers collect and generate a lot of sensitive information about customers, markets, and new products. The threat of ransomware is so prevalent in this industry because hacking groups know that financial service providers have a huge incentive to pay the ransoms they demand. This article overviews the state of ransomware in finance by focusing on recent incidents, statistics, and mitigation strategies.

Ransomware in Financial Services: The Numbers

When asked to name the greatest threat to their companies and the wider financial system, the chief executives of Wall Street’s six largest banks gave “cybersecurity” as the most popular answer. An intriguing 2019 paper highlights the possibility of a “cyber run” where a serious and contagious bank run starts with a cyber attack on a large bank’s deposits.

While a ransomware attack might never inflict that level of damage on the financial system, the numbers show how serious the threat is for individual companies.

  • Double extortion ransomware attacks in the financial sector increased by up to 350 percent during Covid-19.
  • A 2019 report found that 90 percent of financial institutions responded that they’d been targeted by ransomware

Recent Ransomware Attacks on Financial Service Providers

Curo Fund Services, South Africa: January 2022

In early January 2022, Curo Fund Services, South Africa's largest investment administration provider, was impacted by a ransomware attack.  The company was unable to access its IT systems for almost a week.  While no client data was reported to have been accessed, the attack did adversely impact the company's operations

Bank Indonesia: January 2022

In January 2022, the bank reported that it has been hit by a ransomware attack that infected over a dozen computers. Bank Indonesia claimed that there were no impacts on operations as a result of the attack and that only "non-critical data" was stolen.  Shortly after the bank's public statement, the ransomware group Conti stated that they had approximately 14 GB of data that they would leak onto the dark web if the bank didn't pay the ransom being demanded.

CNA Financial, Chicago: March 2021

In March 2020, CNA Financial was hit by a sophisticated ransomware attack that blocked access to key systems and exfiltrated data. The company is one of the largest commercial insurers in the United States. The response to the attack involved shutting down systems to avoid further compromise. The IT system shutdown affected CNA Financial’s business operations for three days.

By first stealing data and then encrypting important systems, the perpetrators of the attack used the double-extortion technique to increase the likelihood of a payout. The group behind the attack, known as Phoenix, achieved its aim after media reports revealed CNA Financial stumped up an enormous $40 million ransom payment.

AXA, Multiple Locations: May 2021

The Asian division of insurance giant AXA became the victim of a ransomware attack that disrupted IT operations in Thailand, Malaysia, Hong Kong, and the Philippines. In the attack, the Avaddon ransomware group stole 3 terabytes worth of sensitive information, including passport copies, customer claims, illness reports, denied reimbursements, and records of payments to customers. This particular attack somewhat ironically occurred in the wake of an AXA announcement that it would no longer reimburse ransom payments on cyber insurance policies in France.

Avaddon ransomware typically gains an entry point to a network using phishing emails. The emails contain attachments with malicious code that executes on the opener’s computer and spreads. Avaddon is a ransomware-as-a-service group that disbanded in June 2021 due to pressure from US and Australian authorities.

Shirbit, Israel: December 2020

Shirbut is an Israeli insurance firm specializing in real estate, auto, and travel insurance. A group of threat actors known as Black Shadow managed to hack into the company’s network in December 2020 and began leaking stolen information online. A series of Tweets publicized the leaks with an eventual ransom demand of roughly $1 million to avoid further leaks.

According to a Shirbit statement at the time, the company had a full backup of its systems and data. The same statement conveyed confidence that the attack didn’t succeed in obtaining sensitive policyholder data.

Naz Sukhram, Canada: May 2021

In May 2020, local Canadian media reported that a small accounting firm named Naz Sukhram became the victim of a serious ransomware attack. Hackers stole around 5 gigabytes of internal company documents, including personal and customer data. Such a small-scale incident usually wouldn’t be worth covering except for two interesting aspects:

  1. The emergence of a new ransomware group
  2. The owner’s quotes

The threat actors were from a recently discovered group known as Grief. According to a statement by an anonymous Grief member, the gang does not plan to enter into protracted negotiations with victims. Grief wants victims to pay up rapidly or else suffer the release of stolen data. New groups will continue to emerge as along as ransomware remains a lucrative form of cyber attack.

According to the firm’s owner, “We thought we were a small company and would not get hit.” This response shows that there’s a perception among SMBs that only large companies get hit by ransomware because those incidents tend to make the headlines. The harsh truth is that companies of all sizes in every industry are targets. Basic security awareness can go a long way towards reducing risks for smaller companies.

Ransomware Mitigation

The following four ransomware mitigation strategies can provide a good platform from which financial services organizations can reduce their individual risks. These strategies can also reduce the wider systemic risks associated with ransomware attacks on the financial sector.

1. Prevention

Prevention is the first and most effective line of defense against ransomware attacks. Your prevention strategy should be multi-faceted with a focus on both tools and people. Building a security-first culture and providing ongoing training is important for ensuring employees remain vigilant and human error is reduced.

However, with ransomware attacks becoming more sophisticated, phishing emails and other forms of social engineering are harder to detect. Advanced tools, such as email security solutions that can detect suspicious emails, can prove invaluable in preventing the initial entry into your network.

2. Swift Detection and Response

Financial companies should have in place solutions that provide deep visibility into their networks so that they can swiftly detect malware propagating through the network. Behavioral-based solutions leveraging AI can come in useful.

Rapid response is also critical. Security teams should be able to effectively investigate genuine threats and orchestrate incident response workflows to contain the damage. The aim is to limit or prevent operational disruption to key financial services and to limit any compromise of sensitive data.

3. Backup Strategy

Whether a financial services company is targeted with encryption-only ransomware or double extortion ransomware, an effective backup strategy is always helpful. Even in the worst outcome where sensitive data is first exfiltrated before systems are encrypted, having backups in place can minimize downtime for important customer-facing services. A disaster recovery plan complements the backup plan by specifying how to restore compromised systems or assets to a functioning state as quickly as possible.

4. Build Operational Resilience

Operational resilience means architecting and protecting your network in such a way that you can continue to provide mission-critical financial services to customers even after a disruptive ransomware attack. It’s more difficult to achieve resilience than mere recovery from ransomware, however, given the nature of financial services, it’s important to strive for resilience.

New rules are coming into effect in the UK requiring financial services providers to demonstrate a good level of operational resilience in the face of the cyber threat landscape. In October 2020, the US Federal Reserve released a paper on sound practices for strengthening operational resilience. The practices revolve around topics such as proper governance, risk management, scenario analysis, and business continuity management.


Ransomware attacks on financial services organizations are not going away. The CNA Financial incident alone resulted in a ransom payout that was ten times higher than the much-publicized Colonial Pipeline attack.

Financial institutions around the world will remain firmly in the sights of threat actors some of whom will inevitably think big and seek to threaten the integrity of or bring down the entire financial system. By investing in a proper ransomware mitigation strategy, ransomware risks can be managed and dramatically reduced within the financial sector.

To learn more about IRONSCALES’ award-winning anti-phishing solution, please sign up for a free trial today.

This blog was updated in June 2022

September 22, 2021