Editorial & Advertiser disclosure

Global Banking & Finance Review® is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Home > Technology > The cyber criminals holding the financial sector to ransom

The cyber criminals holding the financial sector to ransom

Published by Gbaf News

Posted on July 17, 2018

9 min read

Last updated: January 21, 2026

Battery production facility of Northvolt amid bankruptcy financing efforts - Global Banking & Finance Review — Image of Northvolt's battery manufacturing facility, highlighting its ongoing efforts to secure bankruptcy financing for restructuring and continuing operations in the EV battery market.

By Niall Sheffield, Lead Solutions Architect at SentinelOne

With its ability to cripple an organisation after a single click, ransomware has emerged as one of the leading cyber threats facing organisations in recent years.

The abundance of high value information owned by financial organisations means they are more threatened by attackers looking to steal data rather than encrypting it. However, the financial services industry is still at serious risk of ransomware, and research from SentinelOne revealed that 49 percent of organisations had been hit with attacks in the last 12 months alone.

The research carried out in February 2018 surveyed security and risk professionals at 500 businesses on their experiences with ransomware. Of the respondents in the financial services industry, 28 percent had been targeted by at least 5-6 attacks in the last year alone.

Breaking down the costs

The cost of a ransomware infection can escalate extremely quickly. Even if the firm does not or cannot pay the ransom demand, lost revenue from the downtime and the time and resources needed to contain the outbreak and restore back-ups can add up to hundreds of thousands of pounds.

SentinelOne’s research found the average total cost of a ransomware infection in the financial sector was £467,748 for the last 12 months. Further, 14 percent of respondents had suffered total costs of a staggering £1m to £1.5m. SentinelOne estimates that ransomware attacks cost UK businesses a combined £356m over the last year.

When it comes to the actual ransom demand, 17 percent of respondents in the financial sector stated they had paid the full ransom each time they were compromised by an attack.The average value of the ransoms paid by the industry over the last 12 months stood at £37,812 – slightly higher than the overall average across all sectors of £34,845.

No honour among thieves

Paying a ransom is an extremely risky choice and there are many incidents where attackers have not decrypted the files even after taking the money. While this is sometimes a final act of malice by the criminal, the failure to honour the deal is often because the ransomware was poorly constructed and is unable to decrypt the files.

One of the most recent examples of this issue was the Thanatos ransomware, which demanded a payment in bitcoins. The malware created new keys for each encryption but failed to save them anywhere, making it impossible for the perpetrators to undo their damage.

Giving into the criminal’s demands also helps to perpetuate the threat, as each ransom paid adds credence to the notion that ransomware is a reliable money-maker.

While the total amount paid tended to be higher, the financial services sector stands as one of the most resistant to giving into payment demands.66 percent of respondents stated they had not paid any of the ransoms in the last 12 months and were able to restore their operations via rolling back to a prior date or decrypting the files. This was significantly higher than the 46 percent average across other business sectors.

Preventing an outbreak

While it is encouraging that so many financial services firms were able to avoid ransoms by restoring their own systems, this is still a costly process. SentinelOne’s research found that the amount of time spent decrypting ransomware attacks stood at an average of 40 man-hours, an increase from 33 man-hours in 2016. The extra resources required to resolve the crisis, along with the cost of disruption, means that resolving an infection is still apyrrhic victory.

Instead, businesses are much better served by ensuring they can prevent an outbreak from occurring at all. The majority of attacks begin by compromising a single endpoint device before moving laterally through the network, so endpoints should be the focus on defensive efforts.

The key to preventing an infection taking hold is to spot the malware the moment it tries to start digging into the system. This can be achieved by scanning the system’s binary for the unique activity undertaken by ransomware, such as binary entropy, a sign of the obfuscation and packing activity common in ransomware.

Identifying activity such as scanning the hard drive, rapidly initiating file encryption, and editing shadow copies will also quickly reveal a ransomware attack has begun. Behavioural analytics is very useful here, as typical ransomware activity is quite distinct from normal user behaviour and therefore easily identified. Catching these signifiers in real time means the attack can be shut-down before it spreads to the network and the infected endpoint can then be restored.

By equipping themselves with the ability to identify and stop a ransomware attack as soon as it begins, financial organisations can protect their valuable data from being encrypted and prevent disruption to their services. While the sector is further along this journey than many others, this ability must be universal if the threat of ransomware is to be truly defeated.

By Niall Sheffield, Lead Solutions Architect at SentinelOne

With its ability to cripple an organisation after a single click, ransomware has emerged as one of the leading cyber threats facing organisations in recent years.

The abundance of high value information owned by financial organisations means they are more threatened by attackers looking to steal data rather than encrypting it. However, the financial services industry is still at serious risk of ransomware, and research from SentinelOne revealed that 49 percent of organisations had been hit with attacks in the last 12 months alone.

The research carried out in February 2018 surveyed security and risk professionals at 500 businesses on their experiences with ransomware. Of the respondents in the financial services industry, 28 percent had been targeted by at least 5-6 attacks in the last year alone.

Breaking down the costs

The cost of a ransomware infection can escalate extremely quickly. Even if the firm does not or cannot pay the ransom demand, lost revenue from the downtime and the time and resources needed to contain the outbreak and restore back-ups can add up to hundreds of thousands of pounds.

SentinelOne’s research found the average total cost of a ransomware infection in the financial sector was £467,748 for the last 12 months. Further, 14 percent of respondents had suffered total costs of a staggering £1m to £1.5m. SentinelOne estimates that ransomware attacks cost UK businesses a combined £356m over the last year.

When it comes to the actual ransom demand, 17 percent of respondents in the financial sector stated they had paid the full ransom each time they were compromised by an attack.The average value of the ransoms paid by the industry over the last 12 months stood at £37,812 – slightly higher than the overall average across all sectors of £34,845.

No honour among thieves

Paying a ransom is an extremely risky choice and there are many incidents where attackers have not decrypted the files even after taking the money. While this is sometimes a final act of malice by the criminal, the failure to honour the deal is often because the ransomware was poorly constructed and is unable to decrypt the files.

One of the most recent examples of this issue was the Thanatos ransomware, which demanded a payment in bitcoins. The malware created new keys for each encryption but failed to save them anywhere, making it impossible for the perpetrators to undo their damage.

Giving into the criminal’s demands also helps to perpetuate the threat, as each ransom paid adds credence to the notion that ransomware is a reliable money-maker.

While the total amount paid tended to be higher, the financial services sector stands as one of the most resistant to giving into payment demands.66 percent of respondents stated they had not paid any of the ransoms in the last 12 months and were able to restore their operations via rolling back to a prior date or decrypting the files. This was significantly higher than the 46 percent average across other business sectors.

Preventing an outbreak

While it is encouraging that so many financial services firms were able to avoid ransoms by restoring their own systems, this is still a costly process. SentinelOne’s research found that the amount of time spent decrypting ransomware attacks stood at an average of 40 man-hours, an increase from 33 man-hours in 2016. The extra resources required to resolve the crisis, along with the cost of disruption, means that resolving an infection is still apyrrhic victory.

Instead, businesses are much better served by ensuring they can prevent an outbreak from occurring at all. The majority of attacks begin by compromising a single endpoint device before moving laterally through the network, so endpoints should be the focus on defensive efforts.

The key to preventing an infection taking hold is to spot the malware the moment it tries to start digging into the system. This can be achieved by scanning the system’s binary for the unique activity undertaken by ransomware, such as binary entropy, a sign of the obfuscation and packing activity common in ransomware.

Identifying activity such as scanning the hard drive, rapidly initiating file encryption, and editing shadow copies will also quickly reveal a ransomware attack has begun. Behavioural analytics is very useful here, as typical ransomware activity is quite distinct from normal user behaviour and therefore easily identified. Catching these signifiers in real time means the attack can be shut-down before it spreads to the network and the infected endpoint can then be restored.

By equipping themselves with the ability to identify and stop a ransomware attack as soon as it begins, financial organisations can protect their valuable data from being encrypted and prevent disruption to their services. While the sector is further along this journey than many others, this ability must be universal if the threat of ransomware is to be truly defeated.