WASHINGTON—Ransomware remains a persistent and costly threat to U.S. financial institutions, with attack activity hitting record levels in 2023 and remaining elevated in 2024, according to a new Financial Trend Analysis from FinCEN.
The report, covering incidents from 2022 through 2024, details both the scale of attacks and the tactics most frequently used by ransomware actors.
FinCEN found that institutions filed 7,395 ransomware-related Bank Secrecy Act reports tied to more than 4,000 incidents and over $2.1 billion in payments during the three-year period. Activity peaked in 2023, when payments surged to $1.1 billion, a 77% jump from the prior year. Although 2024 saw a decline to about $734 million, FinCEN attributed part of the drop to federal disruptions of major groups such as ALPHV/BlackCat and LockBit. Even so, financial services ranked among the three most targeted sectors, both by number of attacks and total ransom paid.
The report underscores that attackers increasingly rely on well-known variants—including ALPHV/BlackCat, LockBit, Akira, and Phobos—and demand payments largely in Bitcoin, which accounted for 97% of reported transactions. Communication between attackers and victims most often occurred through TOR-based channels, with email representing a secondary method. Median ransom payments fluctuated, reaching $175,000 in 2023 before easing to $155,257 in 2024, with most payments falling below $250,000.
For financial institutions, FinCEN emphasized that str
Financial Crimes Enforcement Network, US Treasury cybersecurity rating report: https://www.rankiteo.com/company/fincen
"id": "FIN1764965436",
"linkid": "fincen",
"type": "Ransomware",
"date": "12/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'incident': {'affected_entities': [{'customers_affected': None,
'industry': 'Financial Services',
'location': 'United States',
'name': None,
'size': None,
'type': 'Financial Institutions'}],
'attack_vector': ['TOR-based channels', 'Email'],
'data_breach': {'data_encryption': 'Yes',
'data_exfiltration': None,
'file_types_exposed': None,
'number_of_records_exposed': None,
'personally_identifiable_information': None,
'sensitivity_of_data': None,
'type_of_data_compromised': None},
'description': 'Ransomware remains a persistent and costly '
'threat to U.S. financial institutions, with '
'attack activity hitting record levels in 2023 '
'and remaining elevated in 2024. The report '
'details the scale of attacks and tactics used by '
'ransomware actors, including over 4,000 '
'incidents and $2.1 billion in payments from 2022 '
'to 2024.',
'impact': {'brand_reputation_impact': None,
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': None,
'downtime': None,
'financial_loss': '$2.1 billion (2022-2024)',
'identity_theft_risk': None,
'legal_liabilities': None,
'operational_impact': None,
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': None},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': None,
'high_value_targets': None,
'reconnaissance_period': None},
'motivation': 'Financial gain',
'post_incident_analysis': {'corrective_actions': None,
'root_causes': None},
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': None,
'ransom_demanded': None,
'ransom_paid': '$2.1 billion (2022-2024)',
'ransomware_strain': ['ALPHV/BlackCat',
'LockBit',
'Akira',
'Phobos']},
'references': [{'date_accessed': None,
'source': 'FinCEN Financial Trend Analysis',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': None,
'regulatory_notifications': 'Bank '
'Secrecy '
'Act '
'reports '
'filed'},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': None,
'containment_measures': None,
'enhanced_monitoring': None,
'incident_response_plan_activated': None,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': None,
'third_party_assistance': None},
'threat_actor': ['ALPHV/BlackCat', 'LockBit', 'Akira', 'Phobos'],
'title': 'Ransomware Threat to U.S. Financial Institutions '
'(2022-2024)',
'type': 'Ransomware'}}