The CYFIRMA Industry Report delivers original cybersecurity insights and telemetry- driven statistics of global industries, covering one sector for a quarter. This report focuses on the Financial Industry, presenting key trends and statistics in an engaging infographic format.
Welcome to CYFIRMA infographic industry report, where we delve into the external threat landscape of the finance industry over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, phishing telemetry, and ransomware incidents targeting financial institutions.
We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape.
The number of observed attack campaigns against the finance industry fluctuated over the given period, with June having the highest number (17 campaigns), followed by April (11 campaigns), and May (9 campaigns).
The increase in attack campaigns from April to June suggests a growing focus on targeting the finance industry, potentially due to the attractiveness of financial data, funds, and sensitive information.
MISSION2025, Lazarus Group, and FIN11 are the most active threat actors targeting the finance industry, suggesting a significant focus on financial institutions.
The presence of various threat actors indicates that the finance industry is a lucrative target for cybercriminals, state-sponsored groups, and organized hacker groups alike.
MISSION2025, Lazarus Group, and FIN11 are the most active threat actors targeting the finance industry, suggesting a significant focus on financial institutions.
The presence of various threat actors indicates that the finance industry is a lucrative target for cybercriminals, state-sponsored groups, and organized hacker groups alike.
Breaking down the top attacked technologies, these findings suggest that sophisticated threat actors prioritize targeting web applications, exploit vulnerabilities in the Windows operating system, and recognize the value of attacking application infrastructure and databases.
A significant proportion of confirmed phishing attacks (32,936 out of 199,332 total observed attacks) involve the finance industry. Attackers perceive the finance industry as a lucrative target due to potential financial gains and the value of stolen financial information as well as phishing lures.
The majority of confirmed phishing attacks in the finance industry occur in developed countries. The United States has the highest number of attacks (12,381), followed by Germany (1,860), the Netherlands (953), and the United Kingdom (419). Attackers focus their efforts on countries with well-established financial sectors and higher potential rewards.
| United States | 12381 |
| Russia | 1301 |
| Canada | 1097 |
| EU | Total: 12716 |
| Germany | 1860 |
| Netherlands | 953 |
| United Kingdom | 419 |
| France | 359 |
| Ukraine | 304 |
| Poland | 113 |
| Ireland | 105 |
| Italy | 87 |
| Bulgaria | 87 |
| Romania | 83 |
| Sweden | 56 |
| Malta | 54 |
| Belgium | 11 |
| Iceland | 11 |
| Asia Pacific | Total: 4517 |
| Australia | 886 |
| Vietnam | 583 |
| South Korea | 356 |
| Japan | 350 |
| Singapore | 237 |
| New Zealand | 226 |
| India | 196 |
| Hong Kong | 145 |
| Philippines | 122 |
| China | 116 |
| Thailand | 72 |
| Malaysia | 52 |
| South Africa | 52 |
| Indonesia | 92 |
| Taiwan | 5 |
| Cambodia | 2 |
| Africa | Total: 102 |
| South Africa | 52 |
| Kenya | 3 |
| Morocco | 4 |
| Algeria | 2 |
| Malawi | 2 |
| Zimbabwe | 2 |
| Middle East | Total: 150 |
| Turkey | 128 |
| United Arab Emirates | 19 |
| Iran | 28 |
| Saudi Arabia | 1 |
| Latin America | Total: 627 |
| Brazil | 208 |
| Panama | 150 |
| Argentina | 97 |
| Venezuela | 96 |
| Costa Rica | 35 |
| Colombia | 8 |
| Paraguay | 8 |
| Mexico | 2 |
Attackers demonstrate a wide-ranging focus by targeting various financial institutions, including major banks, credit unions, and online payment services.
Additionally, phishing attack activity varies across different regions, with Europe experiencing a high concentration of attacks on German and Dutch institutions, while Latin America sees targeted attacks on Brazilian and Panamanian banks.
Different regions show varying levels of phishing attack activity. For example, in Europe, German and Dutch institutions are frequently impersonated, while in Latin America, Brazilian and Panamanian banks are targeted.
The finance industry has been a notable target in the past 3 months, with a total of 107 incidents verified as finance industry, out of the overall total of 1169 incidents during the same period. This indicates a heightened targeting of the Finance industry, compared to previous periods. Specifically, Cl0p gangs revealed a large number of victims within this sector during June.
Typically group distribution is even in gangs targeting the finance industry, with large gangs like ALPHV and Lockbit3 standing out with few more victims. However as seen on the chart below, Cl0p gang with their June spree represent 31% of all incidents in the past 3 months.
While Cl0p, ALPHV, and Lockbit3 were the standout groups, other ransomware groups displayed different levels of activity. Some groups, such as 8base, royal, trigona, ragroup, and others, had a relatively lower number of incidents, suggesting they may be less active or targeting a narrower scope within the finance industry.
With 50 incidents, the United States stands out as the country most affected by ransomware attacks in the finance industry. This suggests that the US finance sector remains a prime target, due to its economic significance and digital infrastructure. While European banking powerhouses like UK, Switzerland and Luxembourg had a lower number of incidents compared to the US, they still experienced a considerable number (16 incidents in the EU) in their finance industry. This indicates a persistent threat to financial institutions in the region.
Emerging Economies like Brazil, India, Colombia, and Angola had multiple incidents, highlighting the increasing vulnerability of emerging economies’ finance sectors to ransomware attacks. This trend may be driven by the growth of digital financial services in these regions.
Global Spread The presence of incidents in various continents underscores the global reach of ransomware attacks targeting the finance industry.
The distribution of ransomware incidents in the past 3 months was observed across multiple sectors. The sectors that experienced the highest impact were insurance (20.9%), banking and financial services (19.4%), investment and wealth management (14.9%), payment and fintech (10.1%), and mortgage and real estate (6.3%).
Broad targeting of financial service providers, including credit and financial consulting, credit unions and cooperatives, stockbroking and trading, asset management, and other financial services.
Potential financial motives – The inclusion of investment and wealth management firms, stockbroking and trading, and asset management sectors among the victims suggests potential financial motives for the ransomware attacks. These sectors deal with significant financial assets, making them attractive targets for cybercriminals seeking financial gain.
Vulnerable sectors – Insurance, banking, and financial services experienced a higher number of incidents, potentially due to the sensitive customer information and financial data they possess.
The finance industry remains a prime target for cybercriminals, state-sponsored groups, and organized hacker groups. Attack campaigns and phishing attacks show a global reach, targeting countries with prominent financial sectors and economies. The insurance, banking, and financial services sectors are particularly vulnerable due to the sensitive customer information and financial data they possess. The emergence of new threat actors and the increasing vulnerability of emerging economies’ finance sectors highlight the need for robust cybersecurity measures in the finance industry.
