Ransomware Attack Trends in the Financial Sector
Black Kite's dataset of finance-sector ransomware disclosures, drawn from public extortion sites and verified incident records, covers more than three years of activity. The three full years tracked fall into three distinct phases.
2023 produced
disclosures, more than half (56.2%) driven by three dominant groups.
In 2024, the count fell to
as law enforcement disrupted the most active operators.
By 2025
disclosures reached. The ecosystem had reorganized, and attacks resumed at a higher volume than before.
The first quarter of 2026 indicates that the rebound is continuing:
finance-sector disclosures are recorded between January and March, a 76% from the same period in 2025.
Finance’s Ransomware Disclosures, 2023-2025 and Q1 2026
Why 2024 Was a False Reprieve
The relief the financial sector experienced in 2024 was driven largely by law enforcement operations against major ransomware groups such as LockBit and Clop, which briefly disrupted the most active threat actors targeting the sector
The Eight Months That Reshaped the Threat
In 2025, direct attacks on finance climbed again, driven by a restructured ransomware ecosystem where former operators have rebuilt under new banners with new strategies.
Ransomware on Finance by Threat Actor, 2023–2025
As old groups fell, new ones rose to fill the gap.
A Fragmented Threat Landscape Replaced the Old Structure
Fragmentation is often read as evidence of a weakened ransomware ecosystem. The number of distinct threat actor groups operating against finance rose from 37 in 2023 to 45 in 2024 and 48 in 2025.
The Fragmentation of Finance's Ransomware Threat, 2023–2025
What changed was concentration, not capacity. Here, "top three" and "top ten" refer to the threat actor groups with the most finance-sector victims in a given period, ranked by incident count.
The top three groups produced:
- 56.2% of finance-sector activity in 2023
- Dropped to 30.1% in 2024
- Recovered to 42.6% in 2025
The 2024 dip reflects sustained law enforcement pressure on the groups that had dominated 2023:
- The FBI disrupted ALPHV/BlackCat in December 2023.
- Operation Cronos seized LockBit's infrastructure in February 2024.
Combined, these two groups' finance-sector activity fell from 61 incidents in 2023 to 16 in 2024.
But the threat did not retreat; it restructured.
Top 3 Threat Actors Targeting Finance, 2023-2025
Where Ransomware on Finance Hits Hardest
Geographically, the threat looks more stable than it is. The United States has been the most-targeted country every year of the dataset, with shares of 52.6% (2023), 42.3% (2024), and 48.5% (2025). The 2024 drop tracks the takedown of U.S.-focused operators (Clop, LockBit, AlphV) and the 2025 recovery reflects new operators inheriting similar geographic preferences.
The exception is South Korea. Zero finance disclosures in 2023 and 2024; 32 in 2025, almost all in September, almost all attributed to Qilin's campaign against a single Korean managed service provider.
Finance Ransomware Targets: Country Distribution
How Ransomware Moved Across Finance's Subindustries
The financial sector is not a monolith, and ransomware activity in 2025 was distributed unevenly across its subindustries.
Investment firms, covering hedge funds, private equity, asset managers, and similar entities were the most-targeted segment of finance in 2025, accounting for 84 disclosures, or 41.6% of all incidents.
Banks and depository credit institutions came second with 36 incidents (17.8%), followed by nondepository credit providers and credit-related service firms, which each recorded 27 incidents.
The composition of these numbers tells a deeper story when compared with 2023.
That year, banks were the most-targeted subindustry with 71 disclosures, almost twice that of the next category. Investment firms came second with 44.
By 2025, those positions had reversed. Banks fell to 36 and stayed there. Investment firms nearly doubled to 84.
Part of that increase reflects the September 2025 campaign against South Korean asset managers, which contributed 32 of the 84 (38.1%) investment-firm disclosures.
Investment Firms Now Account for Nearly Half of All Incidents
Direct attacks are only half the story.
The next section examines the vendor ecosystem that financial institutions depend on and how vulnerable it has become.