Cybercriminals are evolving their tactics, and FS&I organisations are facing an unprecedented wave of targeted attacks. The first half of 2025 has seen a surge in sophisticated attacks targeting cloud infrastructure, exploiting regulatory complexity, and applying psychological pressure during extortion. For financial institutions and insurers, the stakes are high, ranging from data breaches and financial loss to reputational damage and compliance violations. 

Quorum Cyber’s Relentless Threats: 2025 Mid-Year Global Cyber Risk Outlook Report offers FS&I security leaders a strategic perspective on attacker behaviour, providing the insights and defence strategies needed to stay ahead of evolving threats. 

Why FS&I firms are prime targets 

FS&I organisations manage vast amounts of sensitive data, customer financial records, insurance claims, investment portfolios, and regulatory filings. Their role in high-value transactions and critical infrastructure makes them attractive targets for ransomware, data theft, and fraud. 

Despite significant investment in cyber security, FS&I remains a high-value target due to: 

• Complex regulatory environments 

• High liquidity and transaction volumes 

• Increasing reliance on cloud-native services 

• Interconnected systems with third-party vendors. 

Threat actors exploit both technical vulnerabilities and regulatory ambiguity to maximise impact, often leveraging tactics that blur the lines between cybercrime and financial fraud. 

Key threats shaping the FS&I risk landscape 

1. Cloud-Native Ransomware: Codefinger

In January 2025, Quorum Cyber identified Codefinger, a ransomware group abusing AWS features to encrypt cloud-stored financial data. By exploiting Server-Side Encryption with Customer-Provided Keys (SSE-C), attackers rendered data irrecoverable without the ransom key. 

FS&I Impact: Cloud-native extortion threatens core banking and insurance platforms. Strong cloud key management and encryption policy monitoring are essential.  

2. Resilient Infostealers: Acreed

After the takedown of Lumma, Acreed emerged, targeting browser-stored credentials, crypto wallets, and payment data, assets frequently accessed by financial professionals. 

FS&I Impact: Credential theft can lead to fraudulent transactions and insider threats. Phishing-resistant MFA and dark web monitoring are critical. 

3. Nation-State and Criminal Convergence: Moonstone Sleet & Qilin

North Korea’s Moonstone Sleet deployed Qilin ransomware in attacks on software firms, showcasing the fusion of state and criminal capabilities. 

FS&I Impact: Attribution challenges and legal risks escalate. FS&I firms must integrate legal counsel into incident response and ensure compliance with sanctions regulations. 

4. Quadruple Extortion: Qilin’s Regulatory Harassment

Qilin now includes regulatory complaints, client intimidation, and reputational threats in its extortion playbook. 

FS&I Impact: Regulatory bodies and customers may be directly contacted post-breach. Crisis communications and legal teams must be embedded in response planning. 

5. Ransomware Cartels & White-Label Services: DragonForce & RansomBay

Groups like DragonForce and RansomBay offer ‘rebrandable’ ransomware kits and support services, enabling widespread, decentralised attacks. 

FS&I Impact: Increased attack volume and diversity. FS&I firms must adopt threat intelligence-led defence and prepare for attribution complexity. 

6. AI-Driven Extortion: GLOBAL Ransomware

The GLOBAL RaaS platform introduced AI-powered negotiation bots, automating and scaling extortion tactics. 

FS&I Impact: AI-driven pressure tactics reduce negotiation windows. FS&I teams must train for psychological resilience and rapid intelligence sharing. 

Financial impact and sector trends 

Quorum Cyber’s data shows a 53% increase in initial ransomware demands between Q1 2022 and Q1 2025. FS&I firms often face tailored demands based on perceived ability to pay and data sensitivity. 

• Finance: +179% increase in demands 

• Insurance: Targeted due to claims data and actuarial models 

• Trend: Attackers now price demands based on sector risk tolerance and regulatory exposure 

Checklist for FS&I security leaders 

1. Harden Cloud Storage & Key Management 

• Disable SSE-C unless strictly necessary
• Monitor changes to encryption policies and access controls

2. Enhance User Awareness 

• Train staff on social engineering and financial fraud tactics 
• Encourage prompt reporting of anomalies

3. Deploy Phishing-Resistant MFA 

• Use FIDO2 keys or device-bound passkeys 
• Avoid SMS/app-based OTPs

4. Implement Conditional Access Policies 

• Assess identity, device, and location dynamically
• Enforce frequent MFA refresh intervals

5. Monitor for Credential Exposure 

• Continuously scan for leaked credentials and brand impersonation
• Rotate credentials and assess exposure paths

6. Prepare for Multi-Vector Extortion 

• Integrate legal, PR, and technical teams into response playbooks 
• Simulate scenarios involving regulatory complaints and client intimidation 

Intelligence-led defence for FS&I 

Security leaders in FS&I face a unique challenge: protecting high-value financial data in a landscape shaped by professionalised cybercrime. The insights in this report support strategic decision-making, helping firms anticipate attacker behaviour, strengthen resilience, and maintain customer trust. 

Staying ahead means leading with intelligence, collaboration, and continuous visibility. Read the full report: Relentless Threats: 2025 Mid-Year Global Cyber Risk Outlook.