Financial sector remains top for ransomware targets

23 February 2024

Netskope Threat Labs has published its latest research report which revealed that the financial sector remains among the top sectors targeted by ransomware groups.

The report examines the increasing cloud app adoption in the financial services industry, and the worrying abuse of these channels to evade regular security controls for malware and ransomware attacks.

OneDrive and Sharepoint, and Github are identified as significant channels for potential cloud app abuse – with the three sitting at the top of the list consistently since September 2023. Sharepoint was more prominent in finance than in other sectors which is mainly linked to the popularity of Microsoft Teams which uses Sharepoint for file sharing.

The financial sector remains one of the most attacked sectors by ransomware groups, with Trojans the primary attack mechanism, tricking users in the finance industry into downloading other malware payloads. In particular, the Clopp ransomware gang was particularly active in the second half of 2023, exploiting the CVE-2023-34362 MOVEit vulnerability.

LockBit was also a prominent ransomware family that primarily targeted the finance sector and has recently been targeted and shut down by law enforcement agencies.

“It is clear that the macro trends for cloud app use and abuse have remained consistent for the finance sector over the past year,” said Paolo Passeri, Cyber Intelligence Principal at Netskope. “What is interesting to see is that the financial sector remains one of the most attacked sectors by ransomware groups with a focus on the exploitation of vulnerabilities at scale. The figures are a reminder that every organisation should take the time to assess and secure their own infrastructure and that simple operational mistakes could expose you to significant threats.”

Cloud delivered malware comprised 50% of malware downloads in the finance sector, on trend with other sectors, given the ability for attackers to evade regular security controls that rely on tools such as domain block lists and monitoring web traffic but do not apply zero trust principles to routinely inspect cloud traffic.