Black Kite today released its newest report, 2026 State of Financial Services: The Dual Storm of Ransomware and Vendor Ecosystem Risk, which explores how direct attacks and supply chain risk are now rising together. The report found that direct ransomware attacks are escalating again and occurring concurrently with a massive surge in vendor vulnerabilities, shifting the industry from a single-direction tactical problem to a two-front structural crisis.
The financial sector’s 2024 relief, which was largely fueled by law enforcement disruptions of major ransomware groups like LockBit and Clop, was short-lived. In 2025, direct attacks rebounded as operators restructured under new banners. This fracturing ecosystem saw the number of distinct threat groups targeting finance climb from 37 in 2023, to 45 in 2024, and to 48 in 2025, led by threat actors Qilin, Akira, and Kill Security.
Ransomware targeting within finance has shifted significantly since 2023. In 2023, banks were the primary ransomware target with 71 disclosures compared to 44 disclosures reported by investment firms. By 2025, those positions reversed, banking incidents fell to 36 disclosures, and investment firm disclosures nearly doubled, as they became the most-targeted segment with 84 disclosures (41.6% of all incidents). This investment-sector surge was driven by a September 2025 campaign against South Korean asset managers, which accounted for 32 disclosures (38.1% of the subindustry’s total).
The CVE Volume Problem Is Accelerating, and the Gap is Widening
Over 48,000 CVEs were published globally in 2025 alone, an 18% year-on-year increase. Growing AI adoption is expected to further increase that volume through both AI-assisted vulnerability discovery and the widespread use of AI systems as new attack surfaces. In the 2026 Supply Chain Vulnerability Report, Black Kite Research Group identified 1,240 CVEs as high-priority for third-party risk in 2025, a 59% increase since 2024.
Across all financial services vendors, 50.2% carry high-severity CVEs. As CVE volume increases and exploitation timelines compress globally, the operational impact on financial institutions is becoming increasingly direct. According to Verizon’s latest Data Breach Investigations Report (DBIR), vulnerability exploitation overtook phishing as the leading initial access vector for breaches for the first time in the report’s history. In this environment, visibility into the supply chain vulnerabilities that can introduce the greatest operational risk is essential.
Key findings from the report:
- Ransomware returns to finance: Direct ransomware attacks on financial institutions resumed their upward trajectory in 2025 after a brief decline the year before. Reported incidents increased by 30% from 2024 to 2025, while early 2026 data indicates the trend is accelerating further, with Q1 incidents rising 76% year-over-year.
- Vendor risk is a sector-wide threat: In September 2025, Qilin’s compromise of a single South Korean MSP cascaded into 32 financial institutions and over 2 terabytes of stolen data, making South Korea the second-most-targeted country for finance ransomware that year.
- A reorganized threat ecosystem: The number of distinct threat groups targeting finance climbed to 48 in 2025, led by emerging threat actors Qilin, Akira, and Kill Security. The dismantlement of major ransomware groups did not reduce the threat; it rerouted it. Operators from disrupted groups have rebuilt under new banners. Emerging actors have rapidly filled the vacuum, with Qilin alone responsible for 59 finance-sector incidents in the past year.
- Vendor vulnerabilities multiply: From 2024 to 2025, the number of critical vulnerabilities carried across vendors serving the financial sector increased 387%. Among the 140 vendors whose client base is meaningfully concentrated in finance, critical vulnerabilities increased 181%.
- Active exploitation at scale: 54% of the 140 vendors whose client base is meaningfully concentrated in finance carry at least one vulnerability listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, meaning those vulnerabilities are actively being exploited in the wild.
- Patch management gaps are widespread across the financial supply chain: Critical-level patch management failures are present in 78% of the 140 vendors whose client base is meaningfully concentrated in finance. As exploit timelines compress and vulnerability exploitation overtakes phishing as a leading breach vector, the ability to identify, prioritize, and drive remediation of the most critical exposures across the vendor ecosystem is becoming increasingly essential.
Financial institutions now face simultaneous pressure from direct ransomware targeting and the growing volume of exploitable vulnerabilities carried across their vendor ecosystem. While the sector itself operates under extensive regulatory scrutiny, many third-party vendors face far less pressure to mature at the same pace, widening the exposure gap across the financial supply chain.
As vulnerability exploitation becomes a leading initial access vector and exploit timelines continue to compress, resilience increasingly depends on the ability to continuously identify, prioritize, and respond to critical exposures across both internal environments and third-party relationships. In this environment, capabilities such as continuous monitoring, predictive analytics, and quantified risk are no longer differentiators, but operational requirements.
To read the report, visit https://blackkite.com/reports/2026-financial-services-report.
Related
This entry was posted on June 3, 2026 at 9:00 am and is filed under Commentary with tags Black Kite. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Black Kite’s 2026 State of Financial Services Report Reveals Ransomware Surge and Vulnerability Deluge Driving Two-Front Cyber Threat
Black Kite today released its newest report, 2026 State of Financial Services: The Dual Storm of Ransomware and Vendor Ecosystem Risk, which explores how direct attacks and supply chain risk are now rising together. The report found that direct ransomware attacks are escalating again and occurring concurrently with a massive surge in vendor vulnerabilities, shifting the industry from a single-direction tactical problem to a two-front structural crisis.
The financial sector’s 2024 relief, which was largely fueled by law enforcement disruptions of major ransomware groups like LockBit and Clop, was short-lived. In 2025, direct attacks rebounded as operators restructured under new banners. This fracturing ecosystem saw the number of distinct threat groups targeting finance climb from 37 in 2023, to 45 in 2024, and to 48 in 2025, led by threat actors Qilin, Akira, and Kill Security.
Ransomware targeting within finance has shifted significantly since 2023. In 2023, banks were the primary ransomware target with 71 disclosures compared to 44 disclosures reported by investment firms. By 2025, those positions reversed, banking incidents fell to 36 disclosures, and investment firm disclosures nearly doubled, as they became the most-targeted segment with 84 disclosures (41.6% of all incidents). This investment-sector surge was driven by a September 2025 campaign against South Korean asset managers, which accounted for 32 disclosures (38.1% of the subindustry’s total).
The CVE Volume Problem Is Accelerating, and the Gap is Widening
Over 48,000 CVEs were published globally in 2025 alone, an 18% year-on-year increase. Growing AI adoption is expected to further increase that volume through both AI-assisted vulnerability discovery and the widespread use of AI systems as new attack surfaces. In the 2026 Supply Chain Vulnerability Report, Black Kite Research Group identified 1,240 CVEs as high-priority for third-party risk in 2025, a 59% increase since 2024.
Across all financial services vendors, 50.2% carry high-severity CVEs. As CVE volume increases and exploitation timelines compress globally, the operational impact on financial institutions is becoming increasingly direct. According to Verizon’s latest Data Breach Investigations Report (DBIR), vulnerability exploitation overtook phishing as the leading initial access vector for breaches for the first time in the report’s history. In this environment, visibility into the supply chain vulnerabilities that can introduce the greatest operational risk is essential.
Key findings from the report:
Financial institutions now face simultaneous pressure from direct ransomware targeting and the growing volume of exploitable vulnerabilities carried across their vendor ecosystem. While the sector itself operates under extensive regulatory scrutiny, many third-party vendors face far less pressure to mature at the same pace, widening the exposure gap across the financial supply chain.
As vulnerability exploitation becomes a leading initial access vector and exploit timelines continue to compress, resilience increasingly depends on the ability to continuously identify, prioritize, and respond to critical exposures across both internal environments and third-party relationships. In this environment, capabilities such as continuous monitoring, predictive analytics, and quantified risk are no longer differentiators, but operational requirements.
To read the report, visit https://blackkite.com/reports/2026-financial-services-report.
Share this:
Like this:
Related
This entry was posted on June 3, 2026 at 9:00 am and is filed under Commentary with tags Black Kite. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.