Financial organizations hit with average ransom demand of $4.2 million

Since 2018, we’ve recorded 395 publicly confirmed ransomware attacks on the finance industry around the globe, impacting at least 84.6 million records. 2023 saw the highest number of attacks (105) while 2024 has already seen the highest number of records affected (28.2 million).

Many ransomware gangs have adopted double-extortion methods (combining data theft with system encryption), and the financial sector is a prime target for cybercriminals. By gaining access to critical financial records, attackers increase their leverage by threatening to expose clients’ sensitive data if their ransom isn’t paid. And if the ransom demands aren’t met, hackers have a trove of information they can sell on the dark web.

This is perhaps why the average ransom demand is a whopping $4.2 million. The average ransom paid is even higher at $7.4 million.

To find out just how devastating ransomware attacks can be on the finance sector, we’ve taken a look at all 395 cases of confirmed attacks on these companies from around the world. Utilizing our worldwide ransomware tracker, we’ve explored each attack in detail to find out how much downtime was caused, how much data was stolen, what the ransom demands were, and whether or not ransoms were paid.

Please note: while we may have logged a higher number of attacks in one country compared to another, this doesn’t necessarily mean it is more “targeted” by attackers. Rather, the awareness and reporting of such attacks may be more in-depth. For instance, data breach reporting tools and regulations in many US states help confirm these attacks. Those same tools and regulations don’t exist in many other countries.

Key findings:

From the beginning of 2018 to August 2024, our research found:

  • 395 individual ransomware attacks on financial organizations with peaks in 2023 (105) and 2021 (104)
  • 84,625,351 individual records were impacted in these attacks–at least. 2024 accounts for a third of this figure with 28.2 million records affected in total– a 14 percent increase from the 24.8 million records affected in 2023
  • Ransom demands varied from $7,000 to $40 million
  • The average ransom demand on financial companies is just under $4.2 million
  • Downtime varied from an hour to 126 days
  • The average downtime from attacks has been consistently high for the past few years (varying from 12 days to 15 days)
  • Insurance companies saw the highest number of attacks (98)
  • BianLian is the most prolific ransomware attack group so far this year, being responsible for six attacks. ALPHV/BlackCat and LockBit dominated in 2023 with 21 and 20 attacks respectively. LockBit also came out on top in 2022 with nine attacks, while Conti was most active in 2021 with 13 attacks.

Financial institutions face an average ransom demand of $4.2 million

Ransom amounts demanded by hackers varied dramatically. Our research uncovered ransoms from $7,000 (demanded by Meow ransomware on CBIZ Benefits & Insurance Services, Inc. in June of this year) up to $40 million (paid in 2021 by CNA Financial Corporation after an attack by Phoenix CryptoLocker).

Unfortunately, information on ransom demands remains limited as many companies don’t disclose the figure and are even less likely to disclose if they’ve paid a ransom.

The top 5 biggest ransom demands in the financial sector

We found ransom figures in 36 confirmed cases with the five largest being:

  1. CNA Financial Corporation, US – $40 million: In March 2021, CNA Financial was attacked by the Phoenix CryptoLocker ransomware gang. Two weeks after it was attacked, the company agreed to pay a colossal ransom demand of $40 million to restore systems. This is the second-highest recorded ransom demand paid across all sectors after an unknown company paid hackers $75 million this year.
  2. One Call, UK – $21.2 million (£15 million): Darkside ransomware group targeted this UK Insurance company in May 2021. No confirmation was given as to whether the company paid the ransom but it did take around 12 days for systems to be restored. Darkside claimed to have stolen customer data including passwords and bank information.
  3. Bank Syariah Indonesia, Indonesia – $20 million: Indonesian Bank Syariah was hit by LockBit ransomware in May 2023. The bank refused to pay a $20 million ransom, which led to 1.5TB of personal and financial data being posted online.
  4. Ministerio de Hacienda, Costa Rica – $10 million: This attack on Costa Rica’s Ministry of Finance, and three other attacks conducted by Conti ransomware on the Costa Rican government, led to the declaration of a national emergency on May 8, 2022. Despite the 672GB data dump in the Ministry of Finance attack, the government refused to pay the $10 million ransom demand.
  5. Toyota Financial Services, Japan – $8 million: The Medusa ransomware gang demanded an $8 million ransom from Toyota Financial Services in November 2023. It appears that although a large amount of financial data was exfiltrated, the ransom demand was refused by the company.

Based on the figures we do have available, we know:

  • Average ransom demand:
    • 2024 (to August) – $1.2m
    • 2023 – $3.5m
    • 2022 – $2.4m
    • 2021 – $20.5m
    • 2020 – $3.3m
    • 2019 – $1.7m
    • 2018 – N/A
  • Ransom demanded (known cases):
    • 2024 (to August) – $8.1 million (7 cases)
    • 2023 – $48.8 million (14 cases)
    • 2022 – $14.5 million (6 cases)
    • 2021 – $61.6 million (3 cases)
    • 2020 – $13.3 million (4 cases)
    • 2019 – $3.4 million (2 cases)
    • 2018 – N/A
  • Ransoms paid
    • 2024 (to August) – 0
    • 2023 – 1
    • 2022 – 3
    • 2021 – 4
    • 2020 – 1
    • 2019 – 1
    • 2018– 0

Ransom demands are extortionately high for the finance sector. In fact, the average ransom demand is over double that of the healthcare industry, which sees an average demand of just over $2 million despite also being a key industry for holding sensitive data.

Although the legality of paying a ransom is heavily debated, for many organizations it is often seen as the fastest route to restoring operations and minimizing damage. Restricting companies from paying ransoms might deter some attackers, but this alone is not a comprehensive solution.

For example, the UK’s proposed Cyber Security and Resilience Bill, could mandate the reporting of ransomware incidents. Such regulations would not only increase transparency but also reduce the stigma around acknowledging these breaches. For financial organizations, mandatory reporting would also ensure that affected customers and stakeholders are promptly informed, offering a clearer path to accountability and awareness across the industry.

The top 5 biggest ransomware attacks on financial institutions based on records affected

As previously mentioned, data theft remains at the core of many ransomware attacks. Given the highly sensitive financial information handled by companies in the financial sector, this data is arguably one of the most lucrative targets for cybercriminals.

Below are the top five most affected financial companies for the number of records affected:

  1. LoanDepot, Jan 2024 (US) – 16.9 million records affected: LoanDepot was targeted by the ALPHV/BlackCat ransomware group in January 2024 but refused to pay its $6 million ransom demand. It took LoanDepot 19 days to restore its systems with recovery efforts costing $27 million so far–considerably higher than the ransom demanded.
  2. Latitude Financial, March 2023 (Australia) – 14 million records affected: Australian retail bank, Latitude Financial, suffered a massive breach in March 2023 by an unidentified hacking group. The recovery process spanned five weeks with the company reporting recovery costs between $64-$71 million (AUD $95-$105 million).
  3. Banco BCR (Banco de Costa Rica), Feb 2020 – 11 million records affected: The Maze ransomware group hit Banco de Costa Rica in February 2020, exposing 11 million records, including personal credit and debit card data.
  4. Evolve Bank & Trust, May 2024 (US)- 7.6 million records affected: In May 2024, the LockBit ransomware group targeted Evolve Bank & Trust, compromising 7,640,112 records. Although the ransom amount remains undisclosed, Evolve refused to comply with the hackers’ demands, opting instead to focus on recovery.
  5. McCamish Infosys Systems LLC, Oct 2023 (US) – 6.1 million records affected: In October 2023, LockBit also attacked McCamish Infosys Systems, an insurance service provider, affecting 6,078,263 records. The company initially offered $50,000 to the hackers, which was rejected. McCamish then spent 58 days recovering its systems. The company reported $38 million in losses as a result of the attack.

Interestingly, four of these attacks are from 2023/24, which highlights the growing focus on targeting companies with larger databases. So while the number of attacks may be lower, the number of records impacted continues to increase.

The true cost of ransomware attacks on financial entities

Adding to the cost of potentially paying a ransom or dealing with a data breach, many companies spend millions recovering from such an attack. This includes the cost of restoring systems as well as recovering lost revenue.

Out of the 395 attacks we analyzed, we found downtime figures for 101 financial institutions. This ranged from hours to 126 days (suffered by South Africa’s Government Pensions Administration Agency), resulting in an average of 14 days across all years.

Average downtime by year

  • 2024 (to August) – 14.88 days
  • 2023 – 15.17 days
  • 2022 – 12.75 days
  • 2021 – 13.7 days
  • 2020 – 8.25 days
  • 2019 – 8 days
  • 2018– N/A

A 2017 estimate places the average cost per minute of downtime at $8,662 (across 20 different industries), which suggests that the financial sector could have incurred as much as $62 billion in losses across the 395 attacks we’ve noted.

While high, it is in keeping with some of the costs released by financial companies. As mentioned above, LoanDepot spent $27 million restoring systems in January of this year while McCamish Infosys Systems LLC spent $38 million in October 2023. First American Financial Corporation also spent $11 million recovering systems over 18 days back in December 2023.

Equally, a 2017 study by Information Technology Intelligence Consulting (ITIC) put the hourly cost of downtime in banking/finance at $9.3 million. This is significantly higher than the estimate we’ve used (which would work out at $519,720 per hour). Based on this figure, downtime from ransomware could have cost finance organizations as much as $1.14 trillion.

The biggest years for ransomware attacks on the financial sector

Since we began collating ransomware attacks in 2018, we noted two spikes in the number of attacks on financial institutions. One occurred in 2021 (which coincides with the pandemic and a peak in ransomware attacks in general) and one in 2023. However, as noted, the number of records impacted has already reached an all-time high this year.

2023 was also a significant year for data breaches via ransomware in the finance sector with over 24.8 million records affected.

The finance sector remains a key target for ransomware hackers

From January to August 2024, we recorded 51 publicly-confirmed ransomware attacks on the financial sector around the world, affecting 28.2 million records. This makes the financial industry the most heavily impacted sector this year based on records affected.

The huge attacks on LoanDepot and Evolve Bank & Trust, plus the 199 unconfirmed attacks on this sector this year, highlight how the finance sector remains one of the biggest targets for ransomware gangs.

Methodology

Using the database from our worldwide ransomware attack map, our research found 395 financial companies affected by ransomware attacks in total. From this data, we were able to determine ransom amounts, whether or not ransoms were paid, and the downtime caused.

If no specific figures were given for downtime, i.e. “several days,” “one month” or “back to 80% after 6 weeks” were quoted, we created estimates from these figures based on the lowest figure they could be. For example, several days were calculated as 3, one month was calculated as the number of days in the month the attack happened, and the number of weeks quoted in % recovery statements was used (e.g. 6 weeks per the previous example).

Our data focuses on confirmed ransomware attacks only.

Data researcher: Charlotte Bond