Check Point: Which Cyber Risks Rule the Financial Sector?

Money never sleeps – but neither do threat actors. 

Given its global activity and reach, the financial sector has little to no tolerance for downtime. This, combined with its dependence on highly-interconnected systems and added lucrative benefits, make it a constant target for cybercrime. 

In the 2025 Finance Sector Landscape Report by Check Point Software, exposure management researchers Shir Atzil, Mariana Raiser and Ruty Davidson explore the three most disruptive cyber trends which impact the financial sector: DDoS attacks, data breaches and ransomware.

“One key insight I gained from contributing to this report was the sharp rise in hacktivist activity, reflected in the high volume of DDoS and defacement attacks targeting financial institutions globally,” Ruty writes on LinkedIn. 

“Campaigns enabled by advances in AI and deepfake technologies have introduced new and material risks for financial institutions.”

With the financial sector having faced more than double the number of attacks in 2025 (1,858) than it did in 2024 (864), this research comes at a time when enterprise security for financial institutions could not be more relevant. 

DDoS attacks surge 105% 

Increasing 105% in 2025, DDos attacks remained the “most dominant and destructive” form of attack in 2025, Check Point notes. 

Surprisingly though, not all of it was financially motivated, but had even more powerful geopolitical strings that operated behind the curtains. 

Coordinated hacktivist campaigns targeted high-visibility financial platforms in areas of high geopolitical tensions, with most attacks being launched against Israel (16.6%), the US (5.9%) and the UAE (5.6%), followed closely by Ukraine (5.2%) and Germany (5%).

The North African hacktivist group Keymous+ was the most active and responsible for 121 attacks, while pro-Russian hacktivist group NoName057, executed 98 such operations.

Relying on readily accessible botnets and shared infrastructure allowed even “moderately skilled actors to scale their impact”, the report says. 

The metamorphosis of DDoS attacks from a one-time disruption to short burst attacks – with dozens of operations launched in a single day – has proved exceptionally capable to overwhelm the already-strained DDoS mitigation capabilities of institutions. 

This shows that the cyber threat surface has evolved, suggesting the need to move way past the traditional, on-demand scrubbing, to always-on detection, multi CDN routing and layered defence to stop these sophisticated attack waves. 

Stealthy data breach operations on the rise 

Check Point's report finds a 73% rise in attacks that aimed at causing data breaches – which are covert and stealthy operations often involving long-term access, silent data exfiltration and disclosure that came much later. 

Commonly exploited routes by these threat actors are persistent threats and weaknesses in cloud security, identity governance and third-party ecosystems integrated into the environment. 

The US was found to be the most heavily targeted, accounting for 40% of all global incidents. India and Indonesia followed the US as emerging new hotspots. 

Even as organised threat actor groups wreak havoc, the majority of data breaches were caused by those individuals or groups whose identities we are not privy to. 

These elusive actors were responsible for 33% of the attacks, which the Check Point report denotes as a “notable evolution” which portrayed “increased operational security, short lived infrastructure and a shift toward decentralised identities and burner accounts”.

Even as highly-sophisticated attackers mask their digital footprint in the deep and dark and strike from the shadows, organised groups such as Breach Laboratory also made notable hits in 2025, accounting for 43 incidents. 

The finance sector landscape report shows that these groups exploit misconfigurations, buy initial access credentials and leverage leak sites for information to rail extortion campaigns.

Misconfigurations such as open storage buckets, permissive access controls and unmonitored API endpoints are invitations to these actors hell bent on exploiting every weak spot.

Even with modern cyber infrastructure weak points still persist, which calls for identity-centric security models, automated cloud scanning and strict access governance. 

Ransomware ecosystem matures

451 cases of ransomware plagued the financial sector in 2025, displaying an evolution and maturing of the RaaS ecosystem.

Ransomware as a cyber threat has many prongs – data encryption, exfiltration, public shaming and direct pressure on executives and customers – making it a potent threat that not only targets data looking for a payment check but also has the ability to renegade public trust in organisations. 

Once again, the US was the primary target – accounting for 196 attacks, 43.5%, of total ransomware incidents. 

South Korea, UK and Canada followed closely, marking the concentration of attacks in areas with large digital banking infrastructure of high value. 

Ransomware group Qilin had the highest hits with 83 incidents, while Akira and Clop were responsible for 37 and 19 attacks respectively. 

These ransomware groups are known to exploit VPN vulnerabilities, abuse stolen credentials and target third party service providers to find their way in. 

The report says: “These groups rely on shared tooling, highly-modular malware and well-organised affiliate networks that scale operations quickly and efficiently.”

With AI and associated rise of sophisticated attacks, enterprise security in the financial sector needs to reform to guard against these threats with automated, AI-powered solutions that integrate identity security, visibility and governance across the entire ecosystem.