Before sunrise on a chilly November morning, I got the kind of call no security leader ever wants. A mid-sized U.S. bank had been hit overnight hard. Customers couldn’t access their accounts, ATMs were non-functional and every screen in the company’s environment glowed with the same ominous message: their systems were encrypted, and data had been stolen. The attackers demanded a substantial Bitcoin payment, threatening to leak sensitive information if the bank didn’t comply within seven days.
This wasn’t a theoretical tabletop drill or a scenario I’d outlined in a risk briefing; this was real. As I helped support their investigation and recovery, I couldn’t help but reflect on how far ransomware has evolved and how much higher the stakes are now for the financial sector.
A ‘perfect storm’ of cyber extortion in finance
In 2025, ransomware has cemented its position as the most disruptive cybersecurity threat facing U.S. financial institutions. Whether you work at a multinational bank or a local credit union, the danger is very real and very personal. I’ve seen attackers evolve from deploying simple file lockers to launching complex, multi-stage operations involving stolen credentials, deep reconnaissance and multiple layers of extortion.
We’re seeing attackers exfiltrate data before encryption, putting organizations in the impossible position of choosing between public breach disclosure and paying up to avoid reputational damage. By 2024, two-thirds of financial institutions had experienced ransomware firsthand, and, based on firsthand conversations, I believe the number is likely higher. In the U.S. alone, incidents surged more than 60% year-over-year in 2023. Every week, I hear of another peer dealing with an attack, or worse, learning they were compromised weeks ago.
The financial industry has long been a prime target, but what has changed is the increasing scope and coordination of these attacks. I’ve watched as ransomware moved from the shadows into the mainstream, and now, as a business model powered by Ransomware-as-a-Service (RaaS), it’s scaling like a startup with a growth fund.
Ransomware’s evolution: From simple lockdowns to triple extortion
I’ve watched ransomware evolve dramatically over the years, from its early days of simple file encryption to the highly organized, multi-layered extortion campaigns of today. By 2025, these attacks will have become more calculated, aggressive and tailored to inflict maximum pressure, especially on financial institutions like the ones I help protect. We’re no longer just dealing with locked files; we’re facing full-scale psychological warfare designed to force quick payouts and avoid public scrutiny.
Double extortion
In nearly every major ransomware case I’ve worked on or analyzed recently, attackers didn’t just encrypt systems; they also stole sensitive data before pulling the trigger. That means we face two threats at once: data we can’t access and data we don’t want exposed. I’ve seen situations where, despite having solid backups, institutions still paid the ransom because the reputational or legal risk of a public data leak, containing sensitive information such as customer PII or confidential deal documents, was too high. Once the stolen data starts appearing on dark web “leak sites,” the pressure to act increases tenfold. It’s not just about system restoration anymore; it’s about brand survival.
Triple extortion
As if encryption and data theft weren’t enough, I’ve seen attackers take it a step further. In some of the more extreme incidents I’ve supported, ransomware gangs have followed up with DDoS attacks on public-facing systems or reached out directly to regulators, journalists or even the victim’s clients. One group even contacted the customers of a breached institution to increase the pressure on the bank to pay. These tactics add external scrutiny to an already chaotic situation. And with today’s disclosure rules requiring that we report breaches quickly, sometimes within days, the attackers know they can use early exposure as leverage. It’s a race against time, and they’re weaponizing the clock.
Ransomware-as-a-Service (RaaS) and affiliate networks
Another change I’ve seen firsthand is how ransomware has become a business model. Developers now build ransomware “kits” and lease them to affiliate attackers, who execute the actual intrusions. These affiliates use phishing, stolen credentials or known vulnerabilities to get inside, then launch the ransomware and split the profits with the developers. I’ve analyzed affiliate playbooks that come with step-by-step instructions, complete with FAQs and contact support. This model has dramatically increased the volume and reach of ransomware attacks, enabling even relatively unskilled criminals to cause severe damage. And because these groups iterate and share tactics rapidly, every successful breach makes the next one easier to execute.
Increased aggression and persistence
The level of persistence I’ve encountered in recent attacks is staggering. Attackers often spend weeks inside an environment, conducting reconnaissance, escalating privileges and planning their strike. They deliberately target backups, delete shadow copies and shut down security software moments before launching the payload. It’s not uncommon for them to gain domain administrator access, giving them complete control over enterprise systems. These aren’t crimes of opportunity; they’re well-researched, choreographed takedowns. And by the time we see the ransom note, the real damage has already been done.
Technical sophistication and cross-platform capabilities
Technically, ransomware has never been more advanced. I’ve come across strains built in Rust and Golang, languages that traditional security tools often struggle to detect. Attackers now routinely deploy EDR evasion tools to turn off endpoint protections. What worries me most is how many of these threats are now capable of targeting not just Windows systems, but Linux servers, VMware ESXi hypervisors and cloud infrastructure. Many of the financial institutions I’ve worked with run core workloads in hybrid environments, and we’ve had to broaden our defenses accordingly. A ransomware attack today can simultaneously paralyze both the branch network and the cloud-hosted banking platform.
Nation-state collaboration
Perhaps the most disturbing trend I’ve witnessed is the increasing overlap between cybercriminal groups and nation-state actors. Intelligence briefings I’ve been part of have shown how groups linked to countries like North Korea are partnering with or directly backing ransomware gangs. In some cases, they act as access brokers, compromising a target and selling entry to another group. These partnerships blur the line between cybercrime and geopolitical sabotage, particularly when financially motivated actors adopt tactics typically reserved for espionage. For those of us protecting financial institutions, it means we’re not just facing criminals; we may be up against state-backed threat actors with deep resources and political motivation.
Strategic takeaways for financial institutions
Based on my observations in the field, it’s clear that ransomware in 2025 is not just about locked files or downtime; it’s about full-spectrum extortion. We must assume that attackers will steal data, seek media attention and utilize every available lever to force a payout. That’s why our defensive strategy has evolved to include encrypted and offline backups, constant monitoring for data exfiltration and pre-defined response plans for handling public disclosure and regulatory obligations.
Lessons from the front lines: Ransomware in the real world
Over the past few years, I’ve had the chance, sometimes reluctantly, to witness ransomware incidents unfold across the financial sector. Whether advising peers, responding directly or debriefing after an incident, I’ve seen firsthand what works, what fails and what institutions wish they’d done sooner. Here are a few examples that stood out to me, and the lessons I’ve taken away.
Scattered Spider’s social engineering attack
One of the more unsettling cases I studied involved Scattered Spider (UNC3944). This group employed social engineering tactics to impersonate a bank employee and deceive the IT help desk into resetting login credentials. From there, they escalated privileges and deployed ransomware widely across the network. What struck me most was how convincingly they played the part, down to referencing internal tools and using LinkedIn-sourced information.
After seeing this, we revisited our help desk protocols. We realized that training wasn’t enough; we had to implement multi-step identity verification for any sensitive request. We also enhanced our internal monitoring to detect unusual behaviors, such as employee accounts accessing dozens of systems they’d never previously accessed. That attack reminded me how even the most advanced breaches often start with a human decision point.
Vendor breach impacting credit unions (Ongoing Operations)
In late 2023, a ransomware attack hit Ongoing Operations, a service provider used by over 60 credit unions. While none of the credit unions were directly breached, they still suffered outages and disruptions because their shared vendor had been taken offline. It was a wake-up call for many of us: even if we’re doing everything right internally, a single weak link in our supply chain can cause significant fallout.
That event prompted us to review every critical vendor and ask more challenging questions about their backup strategies, recovery timelines and their willingness to share updates during an incident. We’ve also started including more detailed incident response expectations in our contracts. And when possible, we’ve diversified providers for key services to avoid over-reliance on any one partner.
LockBit attack via vendor (Bank of America case)
Another cautionary tale came from the LockBit attack on Infosys McCamish, a Bank of America vendor. The attackers accessed sensitive customer data, and the delay in public disclosure created a wave of customer frustration and media backlash. I recall closely following the fallout, especially since we also utilize third-party processors within our ecosystem.
It reinforced our belief that vendor due diligence is not optional. But even more, it reminded us of the importance of timely and transparent communication when things go wrong. Since then, we’ve revised our breach notification process to ensure that our legal, communications and security teams are all aligned and work efficiently. We don’t wait for confirmation of every detail before reaching out to customers; we focus on being transparent, proactive and supportive.
Evolve Bank & Trust ransomware breach
When Evolve Bank was hit in early 2024, I was impressed by how quickly they responded. They involved law enforcement, notified the public and provided identity protection services to affected customers. While the breach itself was serious, their handling of it helped contain reputational damage and regulatory fallout.
That case helped us refine our incident response playbook. We now have pre-drafted customer communications, standing contracts with forensic and PR firms, and clear guidance on when to involve our cyber insurance provider. We’ve also conducted cross-departmental drills to pressure-test our processes. It’s one thing to have a plan; it’s another to know you can execute it under duress.
Law enforcement success: Hive takedown
Not every ransomware story ends with victim losses. The FBI’s takedown of the Hive ransomware group in 2023 was a rare and encouraging win. By infiltrating the group’s infrastructure, law enforcement was able to help victims recover and eventually dismantle the operation quietly. I recall how that story reignited hope throughout our community and reminded us that cooperation truly matters.
These examples all drive home the same point for me: ransomware is unpredictable, fast-moving and multidimensional. The financial institutions that fare best are those that prepare not just technically, but also strategically and operationally. They’ve segmented their networks to contain damage. They’ve rehearsed their recovery plans. They’ve trained their teams, hardened their vendors and most importantly, they’ve acknowledged that no one is immune.
In my experience, preparation is the only true differentiator. We can’t guarantee we won’t be hit, but we can control how well we respond.
Strengthening defenses: My approach to prevention and resilience
Over the last few years, I’ve worked with teams across the financial sector to shift our cybersecurity posture from reactive to truly resilient. Our mindset has become: prevent what we can, and recover fast from what we can’t. Below are the practices I’ve helped implement, many of which were shaped directly by tough lessons learned during real-world ransomware incidents.
1. Harden entry points and monitor continuously
We’ve doubled down on securing our initial access points. From my experience, breaches often start with something as simple as a malicious email or a missed software patch. We’ve invested in advanced email filters, sandboxing and ongoing phishing training for our staff. I’ve participated in those simulated phishing campaigns, and they are effective.
We’ve enforced MFA across the board, especially for remote access and admin accounts. I’ve pushed hard to move away from SMS-based MFA toward phishing-resistant options, such as security keys and authenticator apps. And when it comes to patching, we no longer wait for scheduled windows. We aim to deploy critical updates within 24 to 48 hours, guided by real-time threat intelligence and security updates. Our SOCs now monitor 24/7 using AI-driven anomaly detection, flagging patterns like mass file changes, rogue account creation or unusual lateral movement. It has helped us catch several early-stage intrusions before they escalate into more serious issues.
2. Network segmentation and least privilege access
When I first reviewed our network layout a few years ago, I realized that if ransomware were to infiltrate, it could spread far too freely. So we re-architected. Currently, our HR systems can’t communicate directly with our core banking platforms without first passing through multiple security controls.
We’ve adopted strict least privilege access policies. Domain admin use is rare, short-lived and tightly monitored. With modern identity governance tools, we regularly review access entitlements and eliminate “permission creep.” These changes didn’t just limit risk; they also gave our auditors a lot more confidence in our control maturity.
3. Secure, offline and tested backups
Backups are non-negotiable, but I’ve seen firsthand how many institutions assume they work, only to discover otherwise during an incident. We follow the 3-2-1 model: three data copies, two media types, one offline. Our backups include immutable copies that can’t be altered or deleted for a set period.
But what made the difference for us was operationalizing backup drills. We’ve rehearsed recovery of entire environments, from core databases to user laptops. It’s not hypothetical; we know how long it takes, and we’ve improved our RTOs with every exercise. It gives our leadership peace of mind that we’ll never be forced into paying a ransom to retrieve our data.
4. Incident response planning and drills
Our incident response plan has evolved into a living, breathing part of our operations. We’ve developed detailed playbooks that map out containment strategies, communication protocols and escalation thresholds. These aren’t just technical documents; they’re used across departments.
I’ve helped lead cross-functional drills with security, legal, compliance, PR and the executive team. We simulate everything: system lockdowns, media inquiries, regulatory disclosures. We’ve also pre-negotiated contracts with incident response firms and crisis communications vendors, so we’re never scrambling in the heat of the moment. Our insurance policy is also tied to our plan; we know precisely when to notify the provider, and we’ve practiced the reporting process.
These exercises have uncovered surprising gaps, such as realizing that our emergency contact list was stored on the very server that might be encrypted during an attack. We’ve addressed those issues, and now we run simulations at least twice a year, including broader FS-ISAC and Treasury-led scenarios.
5. Cyber hygiene and zero trust architecture
While we’ve implemented numerous ransomware-specific defenses, we’ve also invested in long-term resilience through foundational improvements. I’m a strong advocate for Zero Trust, and we’ve rolled out microsegmentation, continuous identity verification and internal encryption for sensitive data.
We’ve upgraded our endpoints with next-gen antivirus and EDR solutions and contracted a managed detection provider to help us monitor around the clock. On the logging front, we have centralized everything: servers, firewalls, applications and cloud workloads, so our threat hunters have a comprehensive view of the entire environment.
I also ensure that our threat intelligence team keeps a close eye on the dark web. We’ve found stolen credentials before they were used, allowing us to reset them promptly. Cybersecurity training now includes not only IT staff but also board members and executives. Everyone now owns part of the defense.
6. Ransom payment policies and regulatory considerations
This is one of the most difficult conversations we’ve had internally. Our policy is clear: we do not want to pay. However, we’ve also outlined the conditions under which we’d consider it, as well as who would be involved in making that decision.
We’ve worked with legal and compliance to ensure we’d never violate OFAC or international sanctions if we were ever forced to deal with an attacker. And with CIRCIA requiring us to report ransom payments within 24 hours, we’ve aligned our playbook to comply. The board is aware, engaged and aligned on the ethical and regulatory dimensions of this issue.
7. Collaboration and threat sharing
I’ve found that one of our most valuable defenses isn’t a tool, it’s the community. We actively share indicators of compromise (IOCs), phishing lures and suspicious behavior with other financial institutions through FS-ISAC. The intel we get back has helped us block multiple threats early.
We also engage directly with Treasury, DHS and the FBI. In at least one case, intelligence shared during a joint simulation helped us catch a potential intrusion before it escalated. We’re also contributing to broader public-private initiatives, such as the Joint Ransomware Task Force, which aims to dismantle ransomware networks globally. When law enforcement succeeds, we all benefit, and we support these efforts in any way we can.
Building cyber resilience amid a ransomware siege
From my perspective, defending against ransomware in 2025 necessitates a layered, collaborative approach. We structure our entire strategy around five pillars: prevent, detect, contain, recover and collaborate. While threat actors are more sophisticated than ever, I’ve also never seen the financial sector more unified, better resourced or more determined to fight back.
Our goal isn’t just to survive ransomware, but to make paying the ransom unnecessary. That means not only stopping attacks, but also ensuring our systems can recover, our customers can trust us and our regulators see that we’re operating with integrity and foresight.
Ultimately, ransomware has fostered a stronger culture of cyber readiness and cooperation. I’ve seen banks learn from painful incidents, bounce back stronger and then share their lessons freely with others. I’ve seen executive teams take ownership of cybersecurity. And I’ve seen our sector come together, competitors one day, defenders the next, against a common threat.
This article is published as part of the Foundry Expert Contributor Network.
Want to join?