Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector emerged as a prime target for cyber threat actors, with 406 publicly disclosed victims falling prey to ransomware attacks alone.

This figure accounts for roughly seven percent of all ransomware victim listings during the period, underscoring the sector’s vulnerability to such attacks.

However, ransomware is merely the tip of the iceberg in a multifaceted threat landscape that includes sophisticated Advanced Persistent Threat (APT) groups, third-party breaches, initial access credential trading, insider threats, and emerging deepfake fraud.

The sector’s allure lies in its management of vast troves of sensitive data-ranging from high-value financial transactions to confidential customer information-and its deep interconnectivity with other industries, making it a gateway for cascading breaches.

According to the Report, Flashpoint’s analysis highlights several key players dominating this cyber onslaught.

RansomHub, a relatively new Ransomware-as-a-Service (RaaS) group since February 2024, claimed 38 financial sector victims, leveraging phishing and vulnerability exploitation as primary tactics.

Prominent Threat Actors and Their Tactics

Akira, active since March 2023 and potentially linked to the defunct Conti group, targeted 34 organizations using compromised credentials, VPN flaws, and Remote Desktop Protocol (RDP) access for double extortion schemes.

LockBit, a veteran RaaS group since 2019, reported 29 victims, with a notable yet dubious claim of breaching the US Federal Reserve in June 2024, later linked to data from Evolve Bank & Trust.

Meanwhile, FIN7, a financially motivated Eastern European group, continues to target payment card data and interbank systems like SWIFT, amassing over $1 billion in revenue since 2015 through phishing and social engineering.

Scattered Spider, emerging in 2022, focuses on rapid exploitation via SMS phishing and fake Okta sign-on pages, while the North Korean-backed Lazarus Group pursues financial gain and espionage through spear-phishing and malware-laden images.

These actors exploit a range of attack vectors, with Flashpoint noting 6,406 posts on financial sector access listings in illicit forums, driven by Initial Access Brokers (IABs) who sell network entry points gained via phishing and RDP exploits.

The financial sector’s exposure is further amplified by third-party compromises, exemplified by the Clop ransomware gang’s exploitation of the MOVEit vulnerability in December 2024, which exposed sensitive data and credentials.

Insider threats are also on the rise, with malicious actors recruiting insiders via platforms like Telegram to gain direct system access.

Adding to the complexity, AI-driven deepfake and impersonation fraud-evident in 1,238 posts on fraud-related Telegram channels-presents a growing challenge by bypassing traditional security with convincing audio-visual forgeries.

This convergence of ransomware, APT activities, and novel fraud tactics signals an urgent need for robust cybersecurity frameworks in financial institutions to mitigate these persistent and evolving threats, as a single breach can ripple across interconnected industries with devastating consequences.