From 2018 to June 2023, 225 financial organizations have been hit by a ransomware attack. We estimate that these entities have lost over $32.3 billion in downtime alone.
A ransomware attack on a financial business, e.g. a bank, insurance company, or accounting firm, has the potential to cause mass chaos with encrypted systems and puts crucial sensitive data at risk.
To find out just how devastating ransomware attacks can be on the finance sector, we’ve taken a look at all 225 cases of confirmed attacks on these companies from around the world. Utilizing our worldwide ransomware tracker, we’ve explored each attack in detail to find out how much downtime was caused, how much data was stolen, what the ransom demands were, and whether or not ransoms were paid.
Please note: while we may have logged a higher number of attacks in one country compared to another, this doesn’t necessarily mean it is more “targeted” by attackers. Rather, the awareness and reporting of such attacks may be more in-depth. For instance, data breach reporting tools and regulations in many US states help confirm these attacks. Those same tools and regulations don’t exist in many other countries.
From 2018 to June 2023, we found:
- 225 confirmed ransomware attacks on financial organizations with 2021 being the most impacted year with 86 attacks in total
- Over 32.3 million individual records were breached as a result of these attacks–at least
- Ransom demands varied from $180,000 to $40 million
- On average, hackers demanded $6.9 million, suggesting around $2.14 billion in ransom payments has been demanded in total
- Hackers received $44.2 million in ransom payments across just five attacks
- Downtime varied from one day to 52 days
- The average downtime from attacks has been consistently high for the past years (varying from 10 days to 14 days)
- The overall cost of downtime is estimated at $32.3bn
- Insurance companies saw the highest number of attacks (65)
- LockBit was the most dominant ransomware strain in 2022 but has been overtaken by BlackCat/ALPHV in 2023 (so far). REvil and Conti were the most prolific in 2021 while Maze carried out the most attacks (where the ransomware strain is confirmed) in 2019/20
Ransomware attacks on finance companies by month and year
As we have already noted, 2021 was the biggest year for ransomware attacks on finance companies with 86 in total. 2020 was the second-biggest year with 56.
Even though the number of ransomware attacks dipped significantly in 2022 (just 39 in total), this mirrors the overall trend last year. 2023, however, looks set to see a significant increase in ransomware attacks.
Up until the end of June 2023, 24 confirmed ransomware attacks on financial companies had been logged by our team. This is a lot higher than the 16 noted in the same period of 2022. Many attacks aren’t confirmed until a month or so post-incident, so we expect to see these figures rise even further.
Hackers also appear to be going after ‘big ticket’ companies with troves of data. By stealing large amounts of data as well as encrypting systems, hackers are increasing their chances of receiving a ransom payment. Equally, even if an organization fails to pay, personal financial data will fetch a premium on the dark web.
In 2022, just over 3.5 million records were confirmed as being impacted by ransomware attacks. So far this year, just over 14 million records have been affected. The vast majority of these stem from the attack on Australia’s Latitude Financial in which 14 million records were affected. Initially, the company said 328,000 people had been affected, but in an updated breach report, it said as many as 14 million could be impacted. The organization refused to pay the ransom and is offering affected customers help through IDCARE.
A further 15 million records have been stolen from Bank Syariah Indonesia by LockBit, but, as we explain below, this hasn’t been confirmed by the bank yet so hasn’t been included in the analysis.
- Number of attacks:
- 2023 (to June) – 24
- 2022 – 39
- 2021 – 86
- 2020 – 56
- 2019 – 13
- 2018 – 7
- Number of records impacted:
- 2023 (to June) – 14,002,968
- 2022 – 3,513,240
- 2021 – 4,143,682
- 2020 – 15,331,455
- 2019 – 172,376
- 2018 – 26,155
- Average downtime:
- 2023 (to June) – 14 days
- 2022 – 10 days
- 2021 – 14 days
- 2020 – 9 days
- 2019 – 8 days
- 2018 – 8 days*
- Downtime caused (known cases):
- 2023 (to June) – 158 days (11 cases)
- 2022 – 76 days (8 cases)
- 2021 – 244 days (17 cases)
- 2020 – 83 days (9 cases)
- 2019 – 32 days (4 cases)
- 2018 – N/A*
- Estimated downtime caused (based on known cases and average in unknown):
- 2023 (to June) – 340 days
- 2022 – 386 days
- 2021 – 1,210 days
- 2020 – 506 days
- 2019 – 104 days
- 2018 – 56 days
- Estimated cost of downtime:
- 2023 (to June) – $4.2bn
- 2022 – $4.8bn
- 2021 – $15.1bn
- 2020 – $6.2bn
- 2019 – $1.3bn
- 2018 – $698.5m
*No downtime figures were available for 2018, so the average for 2019 was used.
The true cost of ransomware attacks on finance organizations
As we noted in the introduction, ransom demands varied from $180,000 to $40 million. The latter was demanded by Phoenix CryptoLocker of CNA Financial Corporation (a US-based insurance company). What’s perhaps even more surprising is that the organization is alleged to have paid the ransom two weeks after its systems were encrypted and data was stolen.
Other high ransom demands include:
- Bank Syariah Indonesia – $20 million: In May 2023, BSI was targeted by LockBit who demanded $20 million in ransom. The bank refused to pay and LockBit has since leaked 1.5TB of data which is alleged to include the personal and financial information of 15 million customers. BSI is yet to confirm this figure, so it hasn’t been included in our overall analysis.
- One Call – $21.15 million: UK-based insurance company, One Call, was hit by a £15 million ransom from DarkSide in May 2021. No confirmation was given as to whether the company paid the ransom but it did take around 12 days for systems to be restored.
Based on the data that is available, we were able to determine the following (no data was available for 2018):
- Average ransom demand:
- 2023 (to June) – $9.3m
- 2022 – $892,335
- 2021 – $20.5m
- 2020 – $4.1m
- 2019 – $1.7m
- Ransom demanded (known cases):
- 2023 (to June) – $28m (3 cases)
- 2022 – $4.5m (5 cases)
- 2021 – $61.6m (3 cases)
- 2020 – $12.3 million (3 cases)
- 2019 – $3.4m (2 cases)
- Total ransom paid (known cases):
- 2023 (to June) – N/A
- 2022 – $1.5m (2 cases)
- 2021 – $40.4m (2 cases)
- 2020 – N/A
- 2019 – $2.3m (1 case)
What’s clear is that ransom demands remain extortionately high for the finance sector. But with downtime and sensitive data at stake, it isn’t too much of a surprise that hackers are trying to cash in on the urgency of getting systems up and running and/or safeguarding data.
Adding in downtime
Downtime is one of the most crucial factors involved in a ransomware attack. If an organization has a backup, it can restore its systems from quickly, this will help keep costs at a minimum (from downtime at least–this doesn’t account for any stolen data).
Using the data we’ve collated, we’ve been able to see how much downtime ransomware attacks across the finance sector have caused. Entire systems can go down for days, weeks, and even months at a time, causing severe disruption to the business and its customers. As our latest findings suggest, finance organizations lose an average of two weeks in downtime when they’re hit by such an attack.
According to a report in 2017, the average cost of downtime (across 20 different industries) is $8,662 per minute. This means that finance companies around the world have lost an estimated $32.3 billion to downtime from ransomware attacks.
Even though these costs may seem extremely high, they are in line with some of the reported figures released by ransomware-impacted organizations. For example, Latitude Financial, which we discussed earlier, reported a cost of AUD $95 to $105 million (USD $64 to $71 million) as a result of its attack.
A 2017 study by Information Technology Intelligence Consulting (ITIC) put the hourly cost of downtime in banking/finance at $9.3 million. This is significantly higher than the estimate we’ve used (which would work out at $519,720).
Due to there being no recent studies or specific studies on downtime in finance, we’ve chosen to opt for the lower figure of $8,662 per minute. However, if we utilize ITIC’s figure, downtime from ransomware could have cost finance organizations as much as $580.7 billion.
The finance sector is a key target for ransomware hackers
Last year’s dip in ransomware attacks may have been a welcome relief, but, as our figures for the first half of this year show, it’s likely this was only short-lived. Equally, we did note a change in narrative surrounding ransomware last year, with many organizations avoiding using the word ‘ransomware’ when describing a cyber incident.
This year, more victims appear to be admitting to having suffered a ransomware attack. This could be somewhat due to large-scale attacks like those on Fortra and MOVEit. (These are only included in our worldwide ransomware tracker as single attacks, so each victim isn’t logged separately).
Whatever the narrative around ransomware, however, the threat remains high. As hackers increasingly opt for double extortion, financial organizations not only face the worry of downtime but of stolen data. Some key attacks so far this year include Latitude Financial, Globalcaja, FIIG Securities, Fullerton India, and Bank Syariah Indonesia.
Using the database from our ransomware attack map, our research found 225 finance ransomware attacks in total. From this data, we were able to determine ransom amounts, whether or not ransoms were paid, and the downtime caused.
If no specific figures were given for downtime, i.e. “several days,” “one month” or “back to 80% after 6 weeks” were quoted, we created estimates from these figures based on the lowest figure they could be. For example, several days were calculated as 3, one month was calculated as the number of days in the month the attack happened, and the number of weeks quoted in % recovery statements was used (e.g. 6 weeks per the previous example).
For a full list of sources, please see our worldwide ransomware tracker.