Throughout May 2025, the Banking sector witnessed a series of significant ransomware-related events that underscore the persistent and evolving nature of cyber threats. An examination of publicly available data on ransomware.live for the period spanning 1 May 2025 to 31 May 2025 identified six distinct ransomware incidents targeting commercial banks in Europe and North America. These findings were subsequently cross-referenced against trusted intelligence sources such as Mandiant (observed publications on 8 May 2025), IBM X-Force Exchange (advisories noted on 12 May 2025) and Recorded Future (threat bulletins reviewed on 15 May 2025) to confirm consistency in both timing and actor attribution.
While the specific methods of compromise varied, commonalities included phishing campaigns delivering malicious attachments, as well as the exploitation of known security flaws—particularly those affecting remote access solutions. In one incident, a banking institution in Western Europe reportedly fell victim to a ransomware group leveraging CVE-2025-4123, allowing the attackers to escalate privileges once initial access had been established. According to IBM X-Force Exchange (cited 12 May 2025), the vulnerability was exploited within days of a proof-of-concept being made public.
Among the observed threat actors, several groups stand out for their technical sophistication and tailored attack patterns:
1. LockBit (two confirmed incidents)
Public disclosures on ransomware.live on 2 May 2025 revealed that LockBit targeted a major European bank, demanding a substantial ransom after exfiltrating sensitive customer data. Their modus operandi typically involves the rapid encryption of critical systems followed by dual extortion tactics. Cross-checking with Mandiant (1 May 2025) confirmed LockBit operatives’ reliance on weaponised Office documents to establish initial footholds. For a more extensive overview of LockBit’s tools, techniques and procedures, please refer to our dedicated LockBit threat group analysis.
LockBit frequently deploys customised malware loaders and fileless execution techniques to hinder detection. In both incidents, the attackers reportedly forged legitimate processes within the victims’ environments to evade endpoint security solutions. Implementing robust email hygiene and network segmentation can play an essential role in mitigating these operations, as can ensuring rapid patching cycles to minimise exploitable vulnerabilities.
2. FIN7 (two confirmed incidents)
Late in May 2025, IBM X-Force Exchange (26 May 2025) reported two separate intrusions at mid-sized European banks. The actors were attributed to FIN7, also known for targeting financial institutions with well-orchestrated spear-phishing campaigns. FIN7’s tradecraft involves the use of stealthy implant droppers and lateral movement via Active Directory abuse. Victims frequently report compromised administrator accounts followed by tampering with financial transaction systems. More details about FIN7’s campaigns and tactics can be found in our FIN7 threat group analysis on Cyber-Defence.io.
In one case, FIN7 leveraged a remote code execution flaw in collaboration platforms—specifically CVE-2025-3778—to install backdoors on internal servers. Subsequent reconnaissance enabled exfiltration of transaction logs, private encryption keys and internal bank communications. These findings underscore the continued importance of restricting permissions and monitoring unusual account activity in critical systems.
3. Unattributed Groups (two confirmed incidents)
Two additional incidents remained unattributed as of 31 May 2025. Investigations by Recorded Future (15 May 2025) and OTX (18 May 2025) suggested these intrusions shared common elements with previous campaigns, yet no conclusive evidence pointed to a singular operant. Techniques observed included disabling antivirus processes through abusing signed drivers and encrypting entire virtualised environments to amplify impact. Banking institutions victimised in these attacks reportedly suffered prolonged disruptions while restoring business-critical services from offline backups.
In both cases, the recognised takeaway for cyber defenders is the need to enforce robust network segmentation and to rehearse incident response playbooks regularly. This approach ensures that if one environment compartment is compromised, attackers cannot pivot unimpeded across the enterprise.
The lessons learned from the above incidents are multifaceted and closely align with best practices embraced by major financial institutions. Firstly, continued user awareness training is essential; phishing remains a prevalent and successful initial attack vector. Secondly, systematically mitigating known vulnerabilities through structured patch management can substantially reduce threat actor success rates—particularly given the rapid incorporation of newly published exploits into ransomware campaigns. Finally, ensuring advanced detection and intrusion hunting capabilities allows security teams to identify abnormal behaviours at early stages, limiting the scope and scale of any potential breach.
While the sector-specific data for May 2025 illustrates the severity of ransomware operations in the Banking industry, it is important to recognise that such threats often bleed across geographic borders and industry lines. Given the sophistication of attacker groups such as LockBit and FIN7, large financial organisations must remain vigilant, adopting threat-driven defence strategies that integrate proactive monitoring, seamless patching of known vulnerabilities and continuous situational awareness. For further insights on emerging threat groups across all sectors, we encourage readers to explore our regularly updated repositories at cyber-defence.io. By prioritising holistic security, banking institutions can reduce exposure and enhance resilience in the face of increasingly capable adversaries.
