Black Kite has published a report on cyber risks facing the financial services sector, warning that ransomware attacks and weaknesses in vendor software are rising simultaneously.
Direct ransomware attacks on financial institutions rose 30% in 2025 from the previous year, while incidents in the first quarter of 2026 were up 76% year on year. The study also found that 50.2% of vendors serving the sector carry high-severity common vulnerabilities and exposures, or CVEs.
Together, those trends point to growing pressure on banks, investment firms, and other financial groups from both direct criminal attacks and weaknesses among outside suppliers. Black Kite described the shift as a move from a single cybersecurity problem to a broader structural threat across the sector's supply chain.
After a temporary easing in 2024, ransomware activity against financial firms rebounded in 2025 as criminal operators regrouped under new names. The number of distinct threat groups targeting the sector rose from 37 in 2023 to 45 in 2024 and to 48 in 2025, with Qilin, Akira, and Kill Security leading the list.
Attack patterns within the sector also changed. In 2023, banks were the main ransomware target, with 71 disclosures compared with 44 for investment firms. By 2025, banking incidents had fallen to 36, while disclosures involving investment firms had climbed to 84, making that segment the most targeted and accounting for 41.6% of all incidents tracked in the report.
A campaign in South Korea played a major part in that shift. In September 2025, Qilin compromised a managed service provider, and the breach spread to 32 financial institutions, resulting in the theft of more than 2 terabytes of data. That made South Korea the second-most-targeted country for financial ransomware that year.
Vulnerability growth
The report also pointed to a sharp rise in the number of disclosed software flaws. More than 48,000 CVEs were published globally in 2025, up 18% from a year earlier. Black Kite identified 1,240 CVEs as high-priority for third-party risk in 2025, a 59% increase over 2024.
Within the financial supply chain, the increase was steeper. The number of critical vulnerabilities across vendors serving the sector rose 387% between 2024 and 2025. Among 140 vendors whose client base is heavily concentrated in financial services, critical vulnerabilities increased 181%.
Among those 140 vendors, 54% had at least one vulnerability listed in the US Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalogue. Black Kite also found critical-level patch management failures in 78% of the same group.
The report linked that trend to a wider shift in how breaches begin. Citing Verizon's latest Data Breach Investigations Report, it said that exploitation of vulnerabilities had overtaken phishing as the leading initial access route for breaches for the first time in the report's history.
The findings suggest that many regulated financial institutions may be improving their own controls faster than some of their suppliers. That leaves banks and investment groups exposed to weaknesses beyond their own networks, particularly as exploit timelines shorten and threat groups move quickly.
Black Kite said the dismantling of major ransomware groups such as LockBit and Clop did not reduce the threat over the longer term. Instead, the disruption appears to have scattered operators, who later reappeared under new banners or were replaced by newer entrants.
Qilin was one of the most active groups in the sector, with 59 incidents in the finance sector over the past year. The report said the rise of such groups showed how quickly the criminal market could refill gaps left by law enforcement action.
The data covered the period from January 2023 to the first quarter of 2026. Black Kite said its ransomware dataset included only confirmed victims in which both encryption and data leaks were verified, and the attack had been clearly attributed to a known ransomware group.
Vendor-related findings were based on Black Kite's own telemetry, public information, and intelligence gathered from surface, deep, and dark web sources. The company said this approach was intended to focus on confirmed and exploitable exposures rather than broader estimates of software risk.
Ferhat Dikbiyik, Chief Research & Intelligence Officer at Black Kite, commented on the shift in attack patterns and the condition of supplier networks.
"Last year, we saw attackers shift focus to weaker third parties as direct ransomware attacks declined. This year's findings prove that reprieve is over," Dikbiyik said. "Direct attacks are climbing again, and the vendor ecosystem is measurably more vulnerable. Financial institutions cannot solve this through internal controls alone. The visibility, response speed, and depth of analysis required to manage this category of risk sit at the third-party layer."