;

2026 Financial Services Report:

The Dual Storm of Ransomware and Vendor Ecosystem Risk

By the Black Kite Research Group™

Download a PDF of this report.

;

2026 Financial Services Report:

The Dual Storm of Ransomware and Vendor Ecosystem Risk

By the Black Kite Research Group™

EXECUTIVE SUMMARY

Ransomware and Supply Chain Risk in Financial Services

The threat to financial institutions no longer comes from a single direction.

Direct ransomware attacks on the financial sector are rising again, but this is only one of the two pressures the industry now faces.

The second is structural and harder to see in headline incident counts: supply chain risk. The vendor ecosystem on which financial institutions depend has grown measurably more vulnerable in the past year.

Scope of Vendor Risk Analysis

The Black Kite Research Group™ analyzed three vendor populations:

The Top

vendors most relied upon by financial institutions

The

vendors whose client base is meaningfully concentrated in finance

A representative sample set of more than

vendors monitored by Black Kite's financial customers

Concurrent with the rise in direct attacks, the vendor ecosystem has grown measurably vulnerable.

Across the representative sample set, half carry critical vulnerabilities (CVSS ≥ 8) and a third carry actively exploited weaknesses listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

The Breaking Point of Traditional Perimeter Defense

The traditional defense approach, which is built on the assumption that hardening the perimeter would secure the systems behind it, is breaking down. Investing in internal defenses does not shield a financial institution from the vulnerabilities carried by the vendors it depends on. The financial sector's defensive maturity is, in large part, a product of wide ranging regulations. The vendors serving the sector face no comparable pressure, and the gap between the two has become the most exploitable seam in the ecosystem.

A Pivot from Tactical Problem to Structural Crisis

Last year’s report documented a single, defining shift: direct ransomware attacks on the financial sector were declining, confirming that attackers had shifted their focus to the weaker third-party ecosystem.

The data in this 2026 report demonstrates that this reprieve has ended. Direct attacks are rising again and are occurring concurrently with a massive escalation of vendor vulnerabilities, moving the industry from a single-direction tactical problem to a two-front structural crisis.

This report explores how direct attacks and supply chain risk are now rising together. The old mental model of "strong banks, weak vendors" no longer captures the full picture.

Key Takeaways

1. Ransomware Returns to Finance

Direct ransomware attacks on financial institutions resumed their upward trajectory in 2025 after a brief decline the year before. Reported incidents rose from 156 in 2024 to 202 in 2025, a 30% increase that reversed the gains of the previous year and signaled the end of finance's short defensive reprieve. Early 2026 data points to further acceleration: 65 incidents recorded in the first quarter alone, exceeding Q1 2025 by 76%.

Ransomware Attacks on Financial Institutions:

2024

2025

increase

Q1 2026

increase over Q1 2025

2. Vendor Risk Is a Sector-Wide Threat

One vendor breach can compromise an entire national financial sector. In September 2025, Qilin's compromise of a single South Korean MSP cascaded into 32 financial institutions and over 2 terabytes of stolen data, making South Korea the second-most-targeted country for finance ransomware that year.

vendor breached

financial institutions impacted

terabytes of stolen data

3. A Reorganized Threat Ecosystem

The dismantlement of major ransomware groups did not reduce the threat, it rerouted it. Operators from disrupted groups have rebuilt under new banners, and emerging actors such as Qilin, Akira, and Kill Security have rapidly filled the vacuum, with Qilin alone responsible for 59 finance-sector incidents in the past year.

Ransomware group

victims in financial services

4. Vendor Vulnerabilities Multiply

Critical weaknesses across the vendor ecosystem serving finance have grown sharply in a single year. The number of vendors carrying CVEs with a CVSS score of 9 or higher rose from 15 to 73, across the 140 vendors most concentrated in finance, and those exposed to vulnerabilities with a CVSS of 8 or higher nearly tripled, moving from 31 to 87.

Vendors with Critical CVEs

2024

2025

increase

Vendors with High CVEs

2024

2025

increase

5. Active Exploitation at Scale

Vendor exposure is no longer theoretical. More than half of Black Kite's 140-vendor sample, 76 in total, carry at least one vulnerability listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. These are vulnerabilities actively weaponized in real-world attacks.

Vendors with Exploited Vulnerabilities

6. The Most Common Weaknesses Are the Most Preventable

The two most widespread weaknesses across vendors serving finance are also among the easiest to address. Critical-level patch management failures are present in 109 of the 140 vendors, more than any other control measured, and the same exposure spans 50.2% across the wider Black Kite ecosystem of more than 17,000 finance-related vendors.

Misconfigured email authentication shows the same gradient: 47 of the 140 vendors operate with misconfigured DMARC records and 37 with misconfigured DKIM

Vendors with Patch Management Failures

Vendors with Misconfigured DMARC Records

Vendors with Misconfigured DKIM Records