During the period from 1 May 2025 to 31 May 2025, intelligence collated from ransomware.live, in conjunction with data verified by Mandiant (Google Cloud) on 12 May 2025 and further cross-referenced with insights from IBM X-Force Exchange and OTX, revealed a significant spike in ransomware activity targeting the finance industry. In total, eight distinct ransomware incidents involving financial organisations were confirmed throughout May 2025. These attacks occurred primarily in Western Europe, although there were also reported intrusions affecting smaller financial service providers in Northern England and Scotland. Many of the victims experienced network outages, temporary denial of service to customers and sensitive data exfiltration. The confirmed strains of ransomware included LockBit, ALPHV (BlackCat) and Clop, with LockBit emerging as the most frequently observed threat according to parallel reports published by The Hacker News on 18 May 2025.
In at least three of these breaches, further analysis attributed the malicious activity to LockBit affiliates, aligned with the LockBit collective documented in our threat intelligence library on LockBit. Investigators from Recorded Future, referencing data gathered on 16 May 2025, identified common techniques such as spear-phishing campaigns exploiting financial staff through fraudulent requests, lateral movement once credentials were obtained and subsequent deployment of the LockBit ransomware payload. A frequently exploited weakness was poor segmentation within the victims’ internal networks, allowing adversaries quick access to critical databases. According to CrowdStrike Falcon OverWatch findings on 20 May 2025, some LockBit affiliates used customised PowerShell scripts to disable security controls on domain controllers. Moreover, LockBit actors were observed leveraging an unpatched vulnerability in remote access software, tentatively linked to CVE-2025-9118, to escalate privileges and move laterally.
Another notable adversary group implicated in the finance sector during May 2025 is FIN7, whose background and modus operandi are detailed on our website’s FIN7 analysis page. FIN7 is reputed for highly targeted phishing emails, typically masquerading as official correspondence from banking regulators or corporate partners. Once a user opens the attached malicious file or clicks on a compromised link, FIN7 deploys custom malware that can immobilise security software and quietly exfiltrate data prior to triggering full-scale ransomware encryption. FIN7 tools often include credential-harvesting scripts, self-updating malware droppers and lateral movement techniques that exploit enterprise Microsoft Active Directory accounts. On 25 May 2025, the UK’s NCSC confirmed that at least one medium-sized European bank suffered a FIN7 intrusion, resulting in the temporary suspension of online transactional capabilities and financial loss due to fraudulent wire transfers executed during the attack window.
The attack chains exhibited during these finance-targeted intrusions highlight several critical lessons. One overarching theme is the importance of early detection: many breaches displayed a protracted initial compromise phase, wherein attackers established footholds for days or weeks, rebutting assumptions that ransomware deployment is invariably immediate. Fundamental security hygiene—such as strict email filtering, enhanced endpoint monitoring, hardened network segmentation and regular patch management—remains pivotal. Implementing multi-factor authentication for all inconspicuous remote logins can thwart adversaries reliant on stolen credentials, a tactic employed effectively by LockBit and FIN7 alike. Careful scrutiny of privileged users and periodic reviews of unusual network traffic, particularly around database systems, would have minimised lateral movement opportunities. Additionally, employee awareness programmes can prime staff to identify and report suspicious emails to security teams, curtailing entry vectors that continue to prove effective for threat actors.
Beyond the finance sector, from 1 May 2025 to 31 May 2025, a wider set of 35 reported ransomware incidents affected large organisations across both the United Kingdom and continental Europe. This estimate derives from consolidated data in VirusTotal repositories and advisories shared by CISA and the UK’s NCSC on 28 May 2025. While the finance sector was notably impacted, critical infrastructure, manufacturing and healthcare providers were similarly targeted. Attackers often employed analogous tactics and exploited widely publicised application vulnerabilities, including newly discovered exposures in virtual private network software. Authorities in Germany and the Netherlands reported a suite of advanced persistent threat (APT) actors shifting their sights to local government entities, indicating a broadened focus that dovetails with the unscrupulous behaviour observed among financially motivated groups.
In conclusion, the surge of ransomware attacks against the finance sector between 1 May 2025 and 31 May 2025 underscores the continuing escalation of cyber threats to large organisations in the UK and throughout Europe. Highly organised groups such as LockBit and FIN7 frequently combine social engineering, stealthy lateral movement and ransomware payloads tailored to financial infrastructure, thereby compounding the severity of breaches. Crucially, these adversaries remain adept at detecting and exploiting network misconfigurations or missing patches, and they exhibit particular interest in environments where segmented security is lacking. The overall threat landscape in Europe during this period evidenced growing sophistication across threat actors, with persistent adaptation of tools and techniques designed to circumvent conventional defences. Consequently, financial services and other critical sectors are advised to bolster their incident response capabilities, maintain robust defence-in-depth strategies and continue investing in security awareness training to mitigate the evolving risk of high-impact ransomware intrusions.
