Financial organizations remain one of the most attractive targets for cybercriminals. In the first half of 2024, they ranked in the top five sectors by the number of recorded information security incidents. However, in the same period, global statistics showed a 36% decrease in the number of publicly disclosed successful cyberattacks on financial institutions compared to the same period in 2023, suggesting an overall improvement in the security of financial sector infrastructure. On the other hand, a significant portion of cyberattacks on the financial sector may be kept hidden from public attention, surfacing only in announcements on the dark web forums. For example, in the first half of 2024, there were five times more postings on darknet markets than publicly disclosed incidents.

Financial organizations play a vital role in a country's economy, supporting its stability and growth. They are involved in ensuring financial flows for the execution of international government contracts, in regulating monetary policy, and in maintaining the stability of the national currency. Their activities not only contribute to macroeconomic stability but also promote the development of production and trade by providing companies with access to capital and conducting secure financial operations. Banks and credit institutions support a stable money circulation in the economy and loans to businesses and consumers. Thus, financial organizations face the challenge of ensuring the stability of services and protecting assets for citizens, businesses, and the state, which entails such tasks as preserving the confidentiality of data provided and minimizing risks in storing funds and conducting transactions.

In this study, we will look at how malicious actors operate and what impact their actions have on financial organizations; what role darknet markets play; what events are considered non-tolerable¹ for financial organizations, and how to prevent them.

This study presents the current global landscape of financial sector cyberthreats, based on data on successful cyberattacks from the second half of 2023 and the first half of 2024. During our investigation into darknet markets, we analyzed 330 sources, including Telegram channels and dark web forums with a total of over 180 million users and more than 827 million messages. The sample comprised the largest platforms in various languages and with diverse thematic focuses. The darknet market analysis reviewed postings made from the second half of 2023 to the second half of 2024.

The financial organizations analyzed include banks, insurance companies, credit institutions, payment system operators, securities market participants, microfinance organizations, investment funds, and others.

This study contains information on current global cybersecurity threats based on Positive Technologies own expertise, investigations, and reputable sources. This report considers each mass attack (for example, phishing emails sent to multiple addresses) as one incident, not several.

Financial institutions play a crucial role in the economy and amid escalating geopolitical conflicts frequently become targets for hacktivists and financially motivated groups. Since many financial organizations work closely with government agencies, they are also prime targets for APT groups, which carefully plan attacks to acquire sensitive information or disrupt business processes.

Malware remains the primary tool for attackers targeting financial organizations. According to our data, in the first half of 2024 the share of successful cyberattacks using malware increased by 12 p.p. compared to the same period in the previous year and by 10 p.p. compared to the previous half-year. For instance, in November 2023, the U.S. division of the world’s largest bank by assets, The Industrial and Commercial Bank of China (ICBC), was hit by a LockBit ransomware attack, disrupting trading in the U.S. Treasury bond market.

Different types of malware are used to achieve different goals. Attackers select the appropriate malware depending on what channels are available for infiltrating and establishing a foothold within the target organization’s infrastructure. The MaaS (malware as a service) business model, in which malicious actors provide their clients with the required malware and infrastructure for a fee, has grown increasingly popular.

Remote access trojans: the cybercriminal’s Swiss Army knife

In the first half of 2024, cybercriminal interest in using remote access trojans (RATs) in attacks on financial organizations surged, with this type of malware used in 33% of successful cyberattacks—three times more than in the same period in 2023.

RATs are a versatile type of malware with a wide range of capabilities. They can be used to steal, modify, or delete information on a device, gain entry into a network and further develop an attack. Notably, most trojans have spyware features: they can secretly record users' screens, track their location, and log keystrokes. This functionality is widely used by APT groups, making RATs a hallmark not only of ransomware operators but also of cyberespionage actors. The rise in RAT-based attacks, as well as various offers of complete sets of remote management tools on darknet markets, highlight the great interest of cybercriminals in this type of malware. According to ANY.RUN, RATs were the most widespread malware in Q2 2024.

Let's look at a specific case: in March 2024, Visa's Payment Fraud Prevention team alerted card issuers and acquirers to a new campaign distributing an updated version of the JSOutProx malware, targeting financial institutions and their clients in Africa, South and Southeast Asia, and the Middle East. A key feature of this campaign was the use of GitLab to store the payload. Both GitLab and GitHub have become a common way to host and distribute malware among victims. In Q1 2024, another malware, Venom RAT, was frequently used in attacks on companies across various sectors, including the financial sector, in North and Latin American countries. These attacks were linked to the APT group TA558, which used phishing emails to distribute Venom RAT—a more advanced version of Quasar RAT, capable of stealing sensitive data and remotely controlling systems. 

There are often cases where attacks were directed at companies in a specific country. For example, in spring 2024, Brazilian banks became targets of AllaSenha, a Windows RAT based on the malware AllaKore, which was previously used to attack financial institutions in Mexico. The attackers sent phishing emails to spread the malware and used Microsoft Azure cloud computing platform to control infected devices. After compromising a victim's device, they employed quishing² to authorize fraudulent transactions. 

In late 2023, many Russian companies, including those in the banking sector, were attacked by the DarkCrystal RAT. The attackers aimed to infiltrate internal financial and legal systems, as well as gain access to client databases and corporate accounts.

Ransomware attacks

According to our data, for several years now, ransomware has been the most used malware in attacks on financial institutions. However, in the first half of 2024, the share of publicly disclosed ransomware attacks on financial organizations dropped to 41%, down 28 p.p. from the same period last year.

From H2 2023 to the end of H1 2024, U.S. financial organizations were the most frequent targets, accounting for half of all ransomware attacks. In June 2024, a LockBit ransomware attack on Evolve Bank exposed the personal information of over 7.6 million people. However, Operation Cronos, conducted in February, led to the seizure of LockBit's infrastructure, resulting in the recovery of over 7,000 decryption keys. This allowed many victims to decrypt their data.

LockBit is one of the most popular ransomware strains, but other ransomware, including Medusa, KillSec, Play, RansomHub, RansomHouse, ALPHV (BlackCat), and Cactus, were also frequently found in attacks on financial institutions during the period under review. For example, on one dark web forum, the Medusa group announced a successful attack on the Indonesian Bank Pembangunan Daerah Banten, resulting in the theft of over 100 GB of data, including client financial information.

Infostealers and droppers

From H2 2023 to mid-2024, one in five malware attacks also included spyware. For example, starting in October 2023, over a hundred organizations in the U.S. and Europe were infected with the StrelaStealer malware, which steals email credentials. According to Unit42, the latest campaign is notable in that the infostealer is distributed via ZIP files sent from email addresses in the target countries. Originally, when StrelaStealer first appeared in 2022, it spread through ISO images.

Russian and CIS financial institutions have also faced spyware attacks. In June 2024, APT groups were reported to have sent fake resumes of IT specialists and labor conditions assessment documents to Russian financial organizations to distribute the XDigo infostealer. Additionally, in the first half of 2024, Positive Technologies Expert Security Center (PT ESC) identified attacks by the Lazy Koala group on companies in the financial sector and other industries in Russia and CIS countries. This group used phishing emails to spread LazyStealer, malware designed to steal browser credentials and send them to a Telegram bot.

In the first half of 2024, we observed a decrease in the number of successful dropper attacks. Their share fell more than threefold compared to the same period last year. This decline is due not only to changes in attacker interests but also to the success of cybercrime countermeasures. For example, in May 2024, the international Endgame program led to the exposure and arrest of several initial access brokers (IABs). As a result, over 100 cybercriminal servers were seized, and about 40,000 infected devices were cleaned. These seized servers were actively used to spread droppers, which typically delivered other types of malware, particularly ransomware, to target devices. Such operations will reduce the number of attacks in the short term, though attackers may resume their activities in the future.

Social engineering and phishing

Phishing and social engineering were used as a penetration vector in 65% of successful attacks on financial organizations in H1 2024. This is a more than twofold increase compared to the same period last year. For example, the JSOutProx RAT, mentioned earlier in this report, was spread using these two techniques. According to a study by Resecurity, organizations were sent phishing emails containing SWIFT transaction information and a ZIP archive. The archive included the JSOutProx script disguised as a PDF file. After opening the file, the device became infected with malware. For example, such a phishing email was sent to the National Bank for Agriculture and Rural Development in India.

Throughout the entire period under review, in order to compromise employee credentials in financial organizations, attackers sent phishing emails disguised as messages from Docusign, a widely-used document e-signature service. According to Enlyft, financial sector organizations are Docusign's most frequent clients. Thus, in the first half of 2024, PT ESC experts detected multiple attempts to compromise banks in Russia and Armenia by requesting document signatures via Docusign. Attackers sent emails with an attached PDF containing a QR code and a request to sign a document.

According to Docusign, in the phishing emails attackers often approached employees requesting signatures for benefit policy documents and sometimes impersonated Microsoft.

Another major phishing campaign organized by the group Scattered Spider hit dozens of U.S. financial companies in H1 2024. Among those affected were well-known companies such as Visa, PNC, and Transamerica. To carry out their attacks, the group used lookalike domains mimicking organizations' Okta and content management system (CMS) login pages. This subsequently allowed Scattered Spider to carry out SIM-swapping attacks, leading to breach of confidential corporate information. 

In many financial institutions, measures are in place to limit the use of social media and messengers. For this reason, email was the primary channel for spreading phishing emails and malware during the reviewed period. The share of malware spread through email increased from 49% in H1 2023 to 66% by mid-2024.

In some cases, attackers sought to compromise the devices of developers and cybersecurity specialists working in fintech companies. To do this, they sent phishing messages offering a position at a major American company, with a test task included. For example, in the first half of 2024, many IT specialists in Brazilian fintech and other companies were subject to phishing through social media. The specialists received emails with links to GitHub repositories, where they were supposed to download the task. In fact, they just ended up downloading malicious Python packages and malware droppers. 

Vulnerability exploitation

In the first half of 2024, 25% of successful attacks on financial organizations involved vulnerability exploitation, a 7 p.p. increase from the previous year. PT ESC experts found that attackers compromised about 30 companies across Africa, the Middle East, and Russia, including banks, by exploiting Microsoft Exchange mail server vulnerabilities. A keylogger embedded on the Microsoft Exchange server homepage allowed attackers to covertly capture credentials. These compromised credentials could then be used to develop a targeted attack on the company.

The most active exploitation of vulnerabilities occurred in the second half of 2023, when this method accounted for 45% of successful attacks on financial organizations. During this period, attackers compromised numerous systems using a popular vulnerability in MOVEit software, which began to be widely exploited in mid-2023. For example, as a result of this vulnerability, Standard Insurance suffered a data breach affecting over 300,000 clients, while Pathward Bank experienced a breach exposing the personal data of over 800,000 clients. The vulnerability in MOVEit also led to the compromise of the infrastructure of New York Life Insurance and several other U.S. banks.

Vulnerabilities on the external perimeter often allow attackers to compromise financial organizations' infrastructure. For example, in H2 2023, cases were recorded involving the exploitation of the Citrix Bleed vulnerability (CVE-2023-4966) in Citrix Gateway device software. For example, Toyota Financial Services (TFS), a subsidiary of Toyota Motor Corporation, became a victim of a cyberattack during this period. Some TFS systems in Europe and Africa were compromised due to Citrix devices not receiving the patch to fix the bug. The Medusa ransomware group claimed responsibility for the attack. The criminals posted on a dark web forum, demanding a ransom of $8 million to not release the stolen data.

Vulnerabilities in software, configurations, and the proprietary code of systems and services, as well as weaknesses in authentication, increase the risk of a financial organization's infrastructure being compromised, enabling attackers to gain access and establish persistence. And this, in turn, can allow them to trigger non-tolerable events. Vulnerabilities in code, configuration, and architecture make it easier to deploy malware and carry out living-off-the-land (LOTL) attacks—the unauthorized use of legitimate libraries, binaries, and drivers. Such attacks are challenging to detect, requiring cutting-edge solutions in the infrastructure, equipped with behavioral analysis capabilities powered by machine learning.

The largest number of listings on dark web forums from mid-2023 to the end of H1 2024 were related to organizations in Europe (27%), Asia (24%), and North America (17%). We observed a decline in mentions of Russian financial sector organizations: only 4% of posts targeted financial companies in Russia and the CIS, a 10 p.p. decrease compared to the first half of 2023. Additionally, the share of posts not linked to a specific region fell to 7%, a significant drop of 29 p.p. This suggests that attacks on the financial sector have become more targeted.

During this period, banking organizations were the most frequent victims of cyberattacks. Analysis of posts on dark web forums and Telegram channels from mid-2023 through the end of H1 2024 revealed that 65% of posts were related specifically to banking organizations, including both federal and regional banks in 52 countries worldwide.

The remaining targeted financial organizations on darknet markets include insurance companies (11%), credit organizations (6%), payment system operators (2%), and other enterprises (16%), such as securities market participants and investment funds.

Hacktivist-driven DDoS attacks

Among the dark web forum postings we analyzed, the largest share belonged to cybercriminals' announcements about DDoS attacks on financial organizations, accounting for 30% of posts. During the period under review, financial organizations in Europe (60%), the Middle East (18%), and Asia (17%) were most frequently hit by DDoS attacks.

The most frequent victims of DDoS attacks were banks. Every second post related to banking organizations revealed details of DDoS attacks conducted by cybercriminal groups.

The high interest in DDoS attacks on banking organizations is explained by heightened international geopolitical conflicts. This interest is connected with the activities of hacktivist groups targeting the financial sector, which plays an essential role in the stability of national economies. Banks, stock exchanges, and payment system operators play particularly important roles, as stable operations here are crucial for financial transactions in both domestic and international markets.

Customer data theft and encryption

The second most common topic of posts on dark web forums during the observed period was offers of stolen databases. Such posts amounted to 26% of the total. Financial organizations in Asia (42%), the Middle East (10%), and Russia (10%) most frequently faced data breaches. The Asian region leads in database offerings on darknet markets, not only within the financial sector but also across other industries, such as the public sector. The highest number of posts about distributing or selling data in this region was recorded for Indian (20%), Chinese (8.5%), and Indonesian (5.5%) financial organizations.

The main victims of data breaches and ransomware attacks are insurance companies, credit organizations, and banks, with every fifth bank affected. Though DDoS attacks on insurance and credit organizations generally don't have the same impact as those on the banking sector, these categories of financial institutions hold large volumes of client data, making them attractive to cybercriminals.

From mid-2023 to mid-2024, more than half of the stolen databases (53%) were offered for free on the dark web forums. In 40% of posts, the data was offered for sale, while buyers' requests for the data of financial organizations comprised only 7% of posts.

In nearly half of the data sale offers (46%), no price was specified; in these cases, cybercriminals negotiate the pricewith potentialbuyers individually. For example, in June 2024, a dark web forum put up for sale databases from 20 banks in the UAE, totaling several hundred thousand lines.

In half of the listings where a price was specified, the cost of the database did not exceed a thousand dollars. The overall price trend from mid-2023 to mid-2024 largely aligns with the trends observed in our previous study, where we summarized the interim results for Q1–Q3 2023.

For example, in May 2024, a listing appeared on a dark web forum for the sale of customer data from various banks located in Cameroon. According to the attackers, the data included first and last names, phone numbers, postal codes, bank names, issued card types, and other details. The cybercriminals set a price of only $100 for a database containing up to 10,000 records and $200 for a batch of up to 20,000 records.

Nearly 10% of the listings were high-priced offers exceeding $10,000. For example, in the first half of 2024, the American insurance giant QuoteWizard experienced a data breach. Confidential information on more than 190 million individuals, including personal details, full names, partial credit card numbers, driver's licenses, and other data, was put up for sale. Additionally, the stolen materials reportedly contained over 3 billion tracking pixel records, which included addresses, ages, mobile device information, and details on accident causes. The hacker provided a few sample records from the database and demanded a ransom of $2 million. QuoteWizard later sent notifications to their clients regarding the breach of their personal data.

As previously noted, many financial organizations face ransomware attacks. Attackers deploy malware in the organization's infrastructure, gather available data from file servers, data repositories, databases, production server event logs and other sources, and then encrypt the captured resources to prevent access. They then blackmail the victim, threatening to publish or sell the stolen data if the ransom is not paid, often sharing their plans or results on dark web forums. They announce that a certain company has been hacked and warn that the data will be made public if the ransom isn't paid. We classify such posts as ransom announcements, which, according to our data, appear in one out of every five posts on dark web forums.

Half of all ransomware announcements concern financial organizations in North America, 20% in Asian countries, and 8% in Europe. The leading countries for ransomware attacks in this period are the U.S. (52%), Indonesia (5%), India (4%), Canada (3.5%), and the UK (5%). The high rate of ransomware attacks on U.S. financial institutions could be related to the fact that breaches of personal data in the U.S. are subject to regulatory penalties proportional to the company's turnover. This increases the chances of successful extortion and ransom payment, as firms want to avoid lawsuits, fines, and compensation payouts to affected parties. Our research on data breaches in the first half of 2024 explored the reputational and financial impacts these can have on an organization.

Access for sale on dark web

Another valuable commodity on the criminal services market is initial access to the infrastructure of financial organizations—the prices for half of these access offers range from $1,000 to $10,000. Here we observe a general trend toward the rising average cost of access to financial organizations' infrastructure: listings within this price range increased by 30% during the period under review compared to the statistics for the first three quarters of 2023.

More than half (55%) of the listings are for access via RDP, VPN, and command shells, as these allow commands to be executed directly in the operating system environment of the compromised host, typically located within the organization's internal infrastructure.

For example, in Q1 2024, an advertisement appeared on a darknet market for the sale of shell access to the infrastructure of Emirates Investment Bank in the UAE, with a starting price of $10,000.

Cybercriminals actively sold access with privileged local administrator rights (36%) and Active Directory domain administrator rights (26%). For example, in the first half of 2024, VPN access to a major bank in Ecuador and shell access to a bank in the UK were offered on dark web forums for the same price of $10,000. 

Confidential data breach, disruption of infrastructure, manipulation of information on public company resources, and other consequences can be non-tolerable events for financial organizations, leading to reputational and financial harm. Next, we'll take a closer look at the global landscape of the impacts of successful cyberattacks and potential non-tolerable events.

Non-tolerable events triggered by a cyberattack on commercial financial institutions can result in serious reputational and financial consequences, including decreased business profitability and competitiveness. Non-tolerable events that occur within the infrastructure of systemically important or state-affiliated financial institutions can lead to deteriorating international relations and the decreased investment attractiveness of a country or region, hinder government trade strategies both domestically and internationally, trigger economic and political instability, affect the operation of critical information infrastructure, and negatively impact public trust. Each financial organization independently determines which events are categorized as non-tolerable based on maximum acceptable levels of damage. Let's examine the potential consequences of cyberattacks, explore hypotheses of non-tolerable events for different financial institutions, and provide examples based on real incidents.

Data breaches

The most common consequence of successful cyberattacks on financial organizations globally from mid-2023 to mid-2024 was the breach of confidential information. By the end of H1 2024, data breaches accounted for 80% of consequences, a 25 p.p. increase compared to the same period last year. 

The trend of mass infections of open code repositories with malware and credential breaches observed in many sectors during H1 2024 also impacted financial organizations: one in four data breaches from financial organizations included login credentials.

Credential compromise is typically not the end goal for attackers but serves as an intermediate step between breaching the target infrastructure and further attack development, which may involve stealing other valuable information, encrypting data on servers, disruption of services, or stealing funds from accounts. Consequently, authentication information is particularly valuable and is commonly sold by initial access brokers on the darknet markets. For example, in Q1 2024, the International Monetary Fund (IMF), which consists of 190 member countries, fell victim to a cyberattack that compromised 11 of its email accounts. The IMF is responsible for facilitating international cooperation on monetary policy, addressing issues related to global trade expansion, providing loans to member countries, and stabilizing currency exchange rates. As a result, the breach of its email accounts could have potentially exposed information about the activities of a number of countries and compromised their strategic plans and agreements. This type of information breach could be considered a non-tolerable event for the IMF.

Compromised infrastructure and sustained unauthorized access may go undetected by the security team for extended periods, ultimately leading to severe consequences. For example, Slim CD, the American payment service provider behind Slim CD Payment Gateway, suffered a cyberattack resulting in a data breach affecting nearly 1.7 million payment cards in June 2024. The attackers had remained undetected within the organization's infrastructure for 10 months, beginning in August 2023.

Financial organizations provide various services to individuals, including storing funds in accounts, processing transactions, and issuing loans. As a result, banks, insurance companies, credit organizations, and microfinance institutions accumulate vast amounts of personal data in their infrastructures. In addition, modern business initiatives aimed at improving user experience and attracting clients encourage the free exchange of customer data and account information among financial organizations. This increases both the size of stored databases and the potential damage in case of their disclosure, alteration, or deletion. One such initiative being implemented by many banks and insurance companies is the integration of Open Banking concept into their services. For example, in June 2024, major Russian banks announced the creation of a service for sharing client account data, which will gradually be implemented for all clients of these banks. Open Banking projects are actively developed in many countries, such as UAE, India, Brazil, Nigeria and others.

Given the large volume of client personal data processed, which also includes sensitive data (such as account numbers, payment cards, and credit history), financial organizations are an attractive target for attackers. The largest number of personal data breaches was observed in H2 2023, accounting for 62% of incidents involving data theft. In H1 2024, the share of personal data breaches declined amid a sharp increase in credential breaches, dropping to just 36%, which is 22 p.p. lower than in the same period last year.

Breach of customer personal data is considered a non-tolerable event for financial organizations, potentially leading to reputational and financial losses. For example, the American mortgage company LoanDepot was attacked by ALPHV (BlackCat) in January 2024, which encrypted and stole data from 16 million users. LoanDepot reported losses of $42 million (about 10% of the company's total six-month revenue), which included costs for investigation and recovery, notifying customers, consulting, and legal proceedings. In addition, the company faced a $25 million class-action lawsuit. 

Database records aren't the only source of personal data that can be breached. At the end of June this year, a post appeared on a dark web forum about a data breach from the major U.S. company CredRight, which provides financial consulting services. The stolen data allegedly included around 70 GB of Know Your Customer (KYC) documents used for client identification, including photos, videos, and voice recordings. Such a breach is also considered a non-tolerable event, as it exposes the organization's clients to the risk of unauthorized use of this data in various fraudulent activities, while financial organizations may face the aforementioned reputational and financial consequences. 

Disruption of IT infrastructure and services

One of the most severe consequences of cyberattacks on financial sector companies is the disruption of core activities and service outages. Analysis of publicly disclosed incidents shows that the global share of cyberattacks resulting in a full or partial shutdown of financial organizations' operations dropped almost threefold in H1 2024 (from 51% to 16%) compared to the same period last year. Despite the reduction in incidents that resulted in disruptions to financial organizations and their services, this consequence remains one of the most dangerous for financial institutions.

Depending on the country's legislation, threshold values for the maximum allowable service downtime are defined for different categories of financial institutions. These thresholds generally do not exceed a few hours. A disruption in the operation of information systems for financial sector companies, especially banks and payment systems, lasting several hours (or in some cases even minutes) is considered a non-tolerable event and can lead to a range of negative consequences. For example, in late October 2023, the major U.S. mortgage company Mr. Cooper suffered a cyberattack that forced the company to temporarily shut down its IT systems, including access to its online payment portal, as part of containment and investigation efforts. As a result, many clients were unable to make mortgage payments on time and could have subsequently faced legal repercussions. The company assured its clients that they would not incur any financial penalties due to the incident. In Mr. Cooper's 2023 financial report it was revealed that the incident resulted in a data breach impacting almost all of the company's clients, and all the relevant authorities were notified.

Service outages and disruptions can also become long-term issues. For example, in March 2024, VNDirect, Vietnam's third-largest securities broker, experienced the effects of a ransomware virus cyberattack, which halted the company's operations for a week. During this period, VNDirect announced that restoring service access would occur in four stages, starting with customer accounts and ending with financial products. The incident also affected websites of companies linked to VNDirect, including the Post and Telecommunication Joint Stock Insurance Corporation (PTI), the investment firm IPA, and the investment fund IPAAM. 

Later, in April, it was reported that the incident had caused VNDirect to lose some of its share in the securities trading market. Since the company is not a bank, it is not subject to the same service downtime requirements as banks are, so it's unlikely that VNDirect will face fines. Nonetheless, as a player in the securities market, VNDirect faced reputational and financial repercussions. Consequently, regardless of whether a financial organization is a commercial or state entity, we can hypothesize that the encryption, alteration, or deletion of data in target information systems is a non-tolerable event for financial institutions if such an action disrupts their core activities. 

According to the Attack Trends in Financial Services report by CDN server provider Akamai, financial organization infrastructures experienced DDoS attacks several times more frequently than other industries between early 2023 and mid-2024. This indicates that web services and APIs used extensively by financial organizations to implement the latest open data exchange initiatives or otherwise are prime targets for cybercriminals. DDoS attacks can impact the functionality of a financial organization, rendering all services unavailable to clients for extended periods, sometimes up to several days, which is a non-tolerable event.

In July 2024, a bank in the UAE was hit by a DDoS attack that set records for both the duration of an attack and the sustained volume of requests. The attack spanned six days and included multiple waves of web requests lasting 4 to 20 hours, directed at the financial institution's website. In total, the attack lasted over 100 hours, averaging 4.5 million requests per second, reducing service availability for legitimate requests to as low as 0.002%, with an average of just 0.12% throughout the attack. 

To minimize the likelihood of non-tolerable events resulting from infrastructure and service disruptions, financial organizations must implement comprehensive information protection measures and conduct regular cyber exercises to evaluate the real resilience of their infrastructure against the destructive impact of potential cyberattacks.

Financial losses

According to an IBM study, the financial sector consistently ranks second in terms of financial losses from data breaches in 2023–2024, outranked only by the healthcare sector. Financial organizations incur costs for investigating cyberincidents and taking the necessary actions to remove intruders from the infrastructure; they are also fined for having insufficient measures to protect the clients' and employees' personal data and face lawsuits from affected parties and court rulings to compensate for moral and financial damages.

In addition, many financial sector companies targeted by ransomware attacks suffer a lengthy process of recovering data that has been encrypted or deleted. According to a Sophos study, financial sector companies encounter some of the highest ransom demands for data decryption and non-publication: more than half (58%) of ransom demands in financial organizations are for amounts over $1 million, with 38% exceeding $5 million. In terms of average ransom demand, the financial sector ranks second only to government institutions.

Additionally, financial organizations accumulate significant capital, making them prime targets for attackers seeking to obtain direct financial gains—for example, by transferring funds from the accounts of the organization itself or its clients. Unauthorized transfers from a financial organization's accounts exceeding a certain threshold, such as a specific percentage of the capital allocated for operational risks, constitute a non-tolerable event. For example, in June 2024, attackers breached the infrastructure of Nainital Bank, a major Indian bank with over 170 branches, by compromising a manager's credentials. They then withdrew funds amounting to over 160 million rupees (~$1.9 million) into 84 different accounts.

Unauthorized withdrawals from client accounts can also be non-tolerable for a financial organization—for example, large-scale withdrawals from the account of a specific client company or mass withdrawals from individuals' accounts exceeding the organization's maximum permissible threshold. According to an FBI report, total funds stolen by fraudsters in 2023 exceeded $12 billion, a 22% increase over the previous year. Meanwhile, the Bank of Russia reported that in Q2 2024 alone, fraudsters managed to steal around ₽4.8 billion (~$48 million) from individuals' and companies' accounts, roughly a quarter higher than the average over the preceding four quarters. 

The issue of fund theft from individual accounts directly affects organizations in the banking sector. For instance, in Russia, a federal law came into effect in July 2024, requiring banks to return funds to clients within 30 days of a request being made. Refunds will be made if the account that received the unauthorized transfer is listed in a database of fraudulent accounts. 

Today's fraudulent schemes increasingly use deepfakes for greater credibility. Deepfakes are a way of generating content based on machine learning and artificial intelligence. Neutral networks overlay additional content onto an original video or audio, altering the facial expressions, gestures and voice. According to Sberbank, the number of deepfakes increased thirtyfold in 2024, and the potential financial damage to citizens could reach ₽300 billion (~$3 billion) by the end of the year. Meanwhile, according to the identity verification platform Sumsub, the number of deepfakes in Saudi Arabia in Q1 2024 increased by 600% compared to the previous year. Among Middle Eastern countries, this figure is only surpassed by Iraq, which saw a 900% increase. Increasing personal data breaches across various sectors, which we noted in another study, allow criminals to create detailed profiles of individuals, including their credit histories, insurance information, assets, incomes, and even medical tests. This stolen information is then used to create counterfeit documents and to pass identity verification on various services with the aim of withdrawing funds from citizens' accounts.

To combat the latest attack methods, financial organizations across the industry must undergo digital transformation and implement new security technologies. One such technology is token-based authentication, taking over from password-based authentication. Digital tokens can replace actual bank card data (its number, expiration date, and security code) with a unique digital identifier when conducting any transactions, which reduces the risk of personal data theft during transactions. An example of this can be seen in the decision of the Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) to retire one-time passwords (OTPs) in order to combat fraudulent activities and transition to the use of digital tokens. Moreover, to address the growing problem of online payment fraud, the payment system Mastercard has announced a shift from using passwords to biometric authentication: users will be able to confirm transactions using facial recognition or fingerprints. By 2030, the company plans to completely phase out entering card numbers for online purchases. Mastercard has already been working with tokenization technology for several years, and the decision to implement this technology for online retailers marks the next step. In India, the company has already launched this service in partnership with PayU and Axis Bank. 

The maturity level of information security processes determines whether cyberattacks on a financial organization's infrastructure are identified in the early stages or lead to negative consequences. While it may be impossible to protect an organization from all threats, by implementing result-driven cybersecurity it's possible to strengthen the organization's cyber resilience so that even if an attacker penetrates the organization's perimeter, they cannot inflict irreparable damage or cause non-tolerable events.

Step 1. Defining non-tolerable events and primary targets of impact on infrastructure

Defining non-tolerable events

The first step towards cyber resilience is to identify and approve a list of non-tolerable events for the organization. This requires involvement from the organization's top management to draw up the list, set criteria, and establish maximum allowable damage thresholds for each event. Operational managers can clarify scenarios that could lead to non-tolerable events, while IT specialists can identify the target systems whose compromise would have non-tolerable consequences.
For each non-tolerable event, it's essential to outline potential realization scenarios. A working group composed of IT and information security experts, along with department managers, should determine the business and technological processes that would be impacted, scenarios for these events to occur, possible consequences, and affected target systems.

Mapping non-tolerable events to the IT infrastructure

The second step involves conducting an inventory of the organization’s IT assets to identify intermediary target systems and points of entry that would be of primary interest for attackers. Scenarios for non-tolerable events should be correlated with these critical infrastructure resources and business processes. This mapping helps reduce the potential attack surface and enables more targeted implementation of information protection mechanisms. After this, the sequence of steps can be determined, and a cybersecurity transformation program can be formulated.

Step 2. Cyber transformation

Hardening IT infrastructure

Hardening is the process of enhancing the protection of hardware and software resources by configuring them in accordance with best security practices and taking into account acceptable internal and external information flows within the protected infrastructure. This process aims to increase the time it takes for a cybercriminal to carry out an attack (time to attack, or TTA), which is crucial for ensuring cyber resilience. The better protected an infrastructure is—from setting up password policies to establishing secure development processes—the more steps an attacker will have to take to realize a non-tolerable event.

Employee training

Regular training and knowledge assessments for employees and managers reduce the number of successful cyberattacks on the organization. Key cybersecurity practices such as secure password storage, protection against phishing and social engineering, software updates, and safe use of wireless networks and the internet should be discussed with all employees of a financial organization.

Incident monitoring and threat response

Implementing monitoring and response processes enables timely detection of attacks and prevention of malicious actions. To establish an effective event monitoring and incident response process, it's essential to gather, integrate, and analyze data from various telemetry sources, including event logs on endpoints, network traffic, software vulnerabilities, and more. Data from all sources should be transferred to a SIEM system, such as MaxPatrol SIEM, and continuously analyzed by built-in algorithms to identify suspicious behavior patterns within the infrastructure.

A key objective for the monitoring and incident response center is to reduce detection time (TTD), containment time (TTC), and response time (TTR). The total time required for these processes should always be less than the time an attacker needs to execute an attack (TTA).

To achieve this balance, we recommend using metaproducts for result-driven cybersecurity. For example, the MaxPatrol O2 metaproduct, which automatically analyzes sensor triggerings, forms chains of attacker actions, and provides the analyst with full attack context for decision-making as well as automated response capabilities.

An organization must also develop an incident response plan outlining specific actions employees should take during a cyberattack, including notifying stakeholders (partners, suppliers, clients) and authorities. This helps minimize damage and quickly restore organizational operations in the event of a successful cyberattack.

Security assessment

To assess security levels, organizations can perform verification of non-tolerable events or carry out cyber exercises to simulate possible attacks and evaluate the effectiveness of detection and response procedures. At Positive Technologies, such events are carried out by specialists from the PT Security Weakness Advanced Research and Modeling (PT SWARM) team.

Process development

Identifying weaknesses in critical business processes and reengineering them according to best cybersecurity practices is essential for strengthening organizational cyber resilience. Financial organizations should also pay attention to processes for interacting with third-party solution and service providers, ensuring robust interaction procedures and confirming that external organizations comply with cybersecurity standards.

Performance assessment

Throughout the cyber transformation process, each organization sets targets to aim for in order to maintain high cyber resilience levels. Regular assessments of the current security state should be conducted, ensuring that the time attackers need to reach their goals is consistently greater than the time required by cybersecurity specialists to detect incidents and respond.

Step 3. Verifying cyber resilience

Maintaining cyber resilience

Given the evolving tactics and techniques of attackers, the continuous emergence of new vulnerabilities, and new stages of digital transformation in the financial sector, maintaining strong cyber resilience is necessary for each financial organization individually and the sector as a whole. Maintaining cyber resilience is a systematic process that requires regular updates and coordinated, efficient interaction among all responsible parties, including business leaders and organizational IT and cybersecurity departments.

Launching bug bounty programs

The final step in building cyber resilience is for financial organizations to participate in bug bounty programs, including APT bug bounties³. For example, T-Bank and the VK Pay payment service have already launched public bug bounty programs for their online products. Continuous and comprehensive security assessment of financial organizations significantly strengthens both the cyber resilience of the organizations themselves and the sector as a whole.

Amid modern economic and political challenges, the rise in cashless transactions, and advancements in innovative information technologies, many countries worldwide are undergoing a digital transformation of the financial sector. Currently, 134 countries, representing 98% of the global economy, are working on creating their own central bank digital currencies (CBDCs), with over half of them in advanced stages of development, pilot testing, or launch. For example, in Russia, a pilot project to create a digital ruble has been underway since August 2023, involving 13 banks and several hundred specialists. In January 2024, 17 more banks joined the project, and by July 2025, the digital ruble may become available to all citizens in the country. In total, there are currently about 44 pilot projects being implemented around the world, including testing of China's CBDC, e-CNY, which was the first of its kind and already had over 260 million users by January 2022. Additionally, since 2023, the Central Bank of the UAE has been actively advancing its CBDC project and, in early 2024, successfully transferred 50 million digital dirhams (~$13 million) from the UAE to China via mBridge—a platform that enables countries and financial institutions to experiment with using central bank digital currencies for cross-border wholesale payments.

Furthermore, in the context of heightened geopolitical tensions, some countries are striving to create independent payment systems for international trade. For example, the BRICS member states collectively develope an independent payment system called BRICS Pay, which is envisioned to allow over 150 countries to conduct trade on transparent and mutually beneficial terms. The payment unit within BRICS Pay will be a gold-backed stablecoin (a cryptocurrency tied to a real asset), and its underlying basis will be the International Monetary Fund's (IMF) Special Drawing Rights (SDR).

This digital transformation—in addition to the previously mentioned trends towards digital tokens and open APIs—demands the use of new technologies and may change the landscape of cyberthreats for financial organizations in the coming years. In this context, ensuring the cybersecurity of the financial sector will become even more important, requiring resources to combat emerging challenges.

In this crucial time, many financial organizations are advised to rethink their approach to information security processes and adopt the concept of result-driven cybersecurity. This approach helps organizations build a comprehensive protection system focused primarily on countering the most significant cyberthreats facing them, thereby preventing non-tolerable events.