Legend has it that when Willie Sutton, a notorious bank robber from the last century, was asked why he robbed banks, he responded, “That’s where the money is.” While a lot has changed since Sutton’s heyday, the axiom still holds true. That’s why the financial sector—trusted with our most sensitive personal and financial information—is the single most important target for today’s ransomware attackers, dwarfing all other industries in both frequency and number of attempts.

The statistics are quite shocking, to say the least:

  • According to the New York Fed, financial institutions are subject to as many as 300x more cyberattacks per year than any other sector.
  • In 2020 alone, phishing and ransomware attacks increased 520% in just four
  • More than one-third of financial services organizations surveyed by Sophos, a British security firm, were hit by ransomware in 2020.
  • Taking into consideration downtime, people time, device cost, network cost, lost opportunity, ransom paid, and similar factors, the average cost of a ransomware attack on a small to midsize financial institution is $2.1 million. The average bill for larger enterprises is much higher.

Preying On the Weak

Willie Sutton didn’t rob banks at random. He sought out their weaknesses and exploited them. Little has changed today. Modern bad actors know that financial institutions are complex enterprises with legacy systems designed for another era, and that makes them vulnerable. The data stored is especially sensitive compared with other industries, so much so that it often contains complete customer information (Social Security number, address, date of birth, and so on) that is every hacker’s dream. Legacy storage infrastructures were designed piecemeal to secure a limited number of machines, such as within a trading desk or a department, in siloed environments. That makes them ill-suited for the cloud era.

These factors create the perfect storm for a ransomware attack.

Between a Rock and a Hard Place

Restoring an entire business after a ransomware attack is a highly involved undertaking, and it can take days or even months to return systems to normal. Yet threat actors demand immediate action: Pay up or suffer the consequences, they threaten. And those consequences can be dire. A single attack can cascade globally, far beyond the financial institution itself, and result in market disruptions or even customer bankruptcies if they can’t access needed funds. This is compounded by potential regulatory compliance risks and legal liabilities, including the inability to meet mission-critical Recovery Point Objectives (RPOs) and Recovery Time Objectives (RTOs).

In fact, even if an organization decides to pay the cyberattackers, they still risk penalties that effectively rub salt in the wound. According to the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), firms that facilitate ransomware payments run the risk of violating sanctions prohibitions even if they have no reason to know that the transaction involved a sanctioned person or entity. Gives new meaning to “Know Your Customer!”

There Is a Method to the Madness

Surprisingly, there are distinct patterns to a ransomware attack, and all share a common life cycle regardless of the goal (such as cyber espionage or extorting money). The life cycle can be broken down into three stages—before, during, and after—although there will always be variations.


The attacker launches a campaign, perhaps via email, to trick personnel into installing a small piece of software that will “phone home.” Once inside the security perimeter, the attacker will lurk or “dwell” in the environment and deploy a ransomware payload. An attacker may also use this time to create backdoors on multiple systems or other sensitive files in case the initial attack is uncovered.


While an attack is being carried out, the ransomware payload focuses on the backups, with an emphasis on encrypting the most recent (most active) files. This is where a solution such as Pure Storage® SafeMode™ snapshots is crucial; it creates secure copies that can’t be eradicated, modified, or encrypted even if the bad guys have admin credentials.

Willie Sutton was remarkably successful because he always zeroed in on banks with the most readily available cash and valuables.


Finally, a demand is sent that promises private keys to decrypt/recover the files will be turned over if payment is made. Trouble is, even if the threat actor does send the keys, they often either don’t work or not all affected files can be restored. And, of course, there are no guarantees subsequent attacks will not be carried out or that sensitive data will not be leaked to the media, posted to the internet, sold on the dark web, or something similarly nefarious.

Take Action

All is not lost, however! There is a lot your financial institution can do to protect itself from any type of ransomware attack.

Get your Ransomware Survival Kit for Financial Services, including the just-released white paper, Winning the Ransomware War in Financial Services.

Download our free e-book, A Hacker’s Guide to Ransomware Mitigation and Recovery.

Discover how Pure Storage can protect your financial institution, today and tomorrow.