cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Obtaining customer data is the focus for finserv ransomware attacks

The financial services industry, which is one of the most highly regulated business sectors, is heavily targeted by ransomware groups and that trend has increased throughout 2022, Erick Galinkin, principal researcher at Rapid7, writes.

user iconErick Galinkin
Tue, 01 Nov 2022
Obtaining customer data is the focus for finserv ransomware attacks
expand image

In June this year, the Anti-Phishing Working Group reported that while most sectors saw a decrease in the overall number of ransomware attacks, there was a 35 per cent increase in the financial services sector.

In addition to Rapid7’s threat intelligence platform, which continuously scans the clear, deep, and dark web for data on cyber threats, we recently conducted research into the types of data that threat actors disclose about their victims. The data points in this research came from the threat actors themselves, making it a rare glimpse into their actions, motivations, and preferences.

The Ransomware Data Disclosure Trends research report considers how double extortion ransomware actors use not only the encryption and ransom demands of traditional ransomware to extort victims, but also how stolen data can be targeted and disclosed to coerce victims. This additional coercive pressure makes conventional ransomware defences like backups less effective. Curiously, we found that the specific types of data released varied by industry.


For example, in the case of healthcare and pharmaceutical industries — as with most other industries it was internal financial information (71 per cent) that was the primary focus of threat actors. A unique finding in healthcare and pharmaceuticals compared to other industries was the disclosure of customer or patient information (58 per cent), and the unusually strong emphasis on intellectual property in the pharmaceuticals sector of this vertical (43 per cent).

Customer data is the prime target for finserv ransomware

When we looked at financial services, something interesting stood out: customer data — not necessarily the company’s internal financial information — was found in the overwhelming majority of data disclosures (82 per cent). It seems the threat actors were more interested in leveraging the public’s implied trust in financial services companies to keep their personal financial information private, than they were in exposing the company’s own financial information.

Since much of the damage done by ransomware attacks — or really any cyber security incident — lies in the erosion of trust in that institution, it appears threat actors are seeking to hasten that erosion with their initial data disclosures. The financial services industry is one of the most highly regulated industries in the market, entirely because it holds the financial health of millions of people in its hands. Breaches at these institutions tend to have outsized impacts.

Employee info also at risk

The next most commonly disclosed form of data in the financial services industry was personally identifiable information (PII) and HR data. This is personal data of those who work in the financial industry and can include identifying information such as Medicare numbers and the like. Some 59 per cent of disclosures from this sector included this kind of information.

This appears to indicate that threat actors want to undermine the company’s ability to keep their own employees data safe, and that can be corroborated by another data point: in some 29 per cent of cases, data disclosure signalled reconnaissance for future IT attacks as the motive. Threat actors want financial services companies and their employees to know that they are and will always be a major target. Other criminals can use information from these disclosures, such as credentials and network maps, to facilitate future attacks.

As with the healthcare and pharmaceutical sectors, our data showed some interesting and unique trends among threat actors, giving us some indications about why they choose the data they choose to disclose.

Erick Galinkin is the principal researcher at Rapid7.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.