Skip to content

Report: How financial firms are fending off ransomware

Report: How financial firms are fending off ransomware

Banks, you’ve obviously been taking self-defense lessons, and it shows: The rate of financial institutions (FIs) reporting that they’d been victimized in ransomware attacks has tumbled over the past year. 

A year ago, 74% of FIs reported that they’d experienced one or more ransomware attacks, and 63% paid the ransom, according to the 2022 Modern Bank Heists 5.0 report. One year later, that number has fallen to 40%, according to Contrast’s 2023 Cyber Bank Heists report. 

What changed? 

Not the ransomware gangs. Conti, LockBit, DarkSide, Yanluowang and Vice Society — the five ransomware gangs that remain the most active in the financial sector — are still out there, still a major threat to FIs. In this post, we’ll get into the report’s insights into the melting ransomware scene and other key takeaways about the changing trends in how financial firms are cyber-defending themselves.  

A year of the financial sector’s threat landscape

The shifting sands of cyber-defense are just one area scrutinized by  the 2023 Cyber Bank Heists report, which analyzes a year of cybersecurity threats faced by the financial sector. The report portrays the current threat landscape, as depicted by FI CISOs, SVPs of Cybersecurity, and Managing Directors of Information Security from the global Tier 1 (those FIs with a minimum of $200 billion in assets) and Tier 2 (those with between $5 billion and over $10 billion in assets). 

The report covers three areas: 

  • Cyberattack trends,
  • eFraud and
  • Trends in cyber defense. 

This post takes a look at cyber-defense trends. You can also check out our overview of the report’s findings on cyberattack trends in the financial sector. Finally, make sure to read our writeup of eFraud trends

Beefy crackdowns, collaboration & strong tools

But back to the multi-part answer to the question of “what changed” when it comes to dipping ransomware attacks. For one thing, international policing efforts are paying off. Those efforts include the late 2021 kickoff of an international partnership between the U.S. and 30+ partners to dismantle the financial systems and safe harbors that make ransomware profitable. 

Another factor contributing to the ransomware dip is the simple fact that the sector is fighting back harder and smarter than ever. 

The decrease in ransomware attacks plaguing FIs is largely due to the fact that they’re increasingly deploying extended detection and response (XDR) platforms and employing managed detection response (MDR) firms — two of what the report cites as the top ten countermeasures for Cyber Bank Heists.

The No. 1 countermeasure? Intelligent runtime protection: i.e., technology built into an application or application runtime environment that controls application execution, detecting vulnerabilities and preventing real-time attacks by detecting, blocking and mitigating attacks immediately, protecting applications as they run in real time by analyzing both application behavior and context.

In other words, runtime protection enables an application to monitor its own behavior, thereby protecting the application from data theft, malicious inputs and behavior, all without human intervention.

Follow the money

A majority of FIs — 72% of those that participated in the Cyber Banks Heist research — are planning to invest more in Application Security (AppSec) in the coming year, according to the Cyber Bank Heists report. That makes sense: According to the Verizon Data Breach Investigations Report (DBIR), application attacks are the attack vector of choice for cybercrime cartels. 

In the past, FIs have been overly reliant on Web Application Firewalls (WAFs) to defend against the onslaught of application attacks, the report contends. WAFs, unfortunately, don’t cut it: the crooks know that WAFs can be bypassed by attacks that push into backend systems such as Message Queue (MQ), thereby enabling attacks to enter applications and application programing interfaces (APIs) without having to go through a WAF — just one of multiple ways to bypass WAFs. 

Cracking down on fintech vendors

The report also found that fewer FIs are putting up with shoddy security practices in their vendors — shoddy security that can lead to island-hopping attacks, for one thing. Island hopping attacks entail cybercriminals breaking into trusted suppliers’ networks and systems and then using that access to hop into the systems of their ultimate targets: namely, FIs. 

In response, 64% of FIs reported that they’re now mandating cybersecurity requirements for fintech vendors. That’s directly in line with mandates coming down from the U.S. government or financial regulators, with mandated Software Bills of Materials (SBOMs) and security attestation letters being a case in point. 

Packing the board with cybersec know-how

As far as governance goes, the report pointed out a persistent problem with FIs: CISOs are still reporting to CIOs. Change, however, is coming, as more and more banks add cybersecurity specialists to their boards of directors, in line with a proposed rule from the Securities and Exchange Commission (SEC) that would require public companies to disclose whether their boards have members with cybersecurity expertise. 

Is that as important a defense as, say, having runtime protection? 

It’s not a competition. It’s all important. But as the SEC pointed out, investors deserve to know if they're putting their money into companies being governed by a leadership mix that understands the cybersecurity landscape, or if the concept of, say, island hopping just brings blank stares.

Who wants to invest in a cybersecurity-ignorant financial firm? Not me. As the Cyber Bank Heists report shows, the financial sector gets that, and it’s finally coming around to weaving that knowledge into boards of directors as one part of the sector’s cyber armor.

For more insights into how FIs are bolstering cyber defense, download the full report here. 


Lisa Vaas, Senior Content Marketing Manager, Contrast Security

Lisa Vaas, Senior Content Marketing Manager, Contrast Security

Lisa Vaas is a content machine, having spent years churning out reporting and analysis on information security and other flavors of technology. She’s now keeping the content engines revved to help keep secure code flowing at Contrast Security.