TLDR
The standard ransomware conversation for banks centers on backup frequency and recovery time. That framing addresses the wrong problem. Modern ransomware groups routinely steal data before encrypting anything, meaning a clean restore from backup does not undo the breach. The real gap in most regional bank defenses is the failure to detect and contain attackers during the days or weeks they spend inside the network before they pull the trigger. That is where this piece focuses.
Ask most regional bank security teams about their ransomware posture and the conversation lands on backups. Immutable copies, offsite storage, tested recovery procedures, RTO targets. It is a reasonable place to start, and it is the wrong place to stop.
Backups address one dimension of a ransomware attack: the encryption. They say nothing about the data that was already copied out before the payload dropped, the credentials harvested during the attacker’s time in the environment, or the regulatory notification obligations that apply regardless of how cleanly you restore. A bank that recovers its systems in 48 hours from a clean backup has still experienced a breach. Those are different problems with different consequences.
The conversation the industry needs to have is about what happens before the ransomware detonates, and what it takes to catch attackers during that window.
The Financial Sector is a Preferred Target, and the Numbers Reflect It
Financial services is not just one of the most targeted sectors for ransomware; it is consistently at the top. According to Sophos research, 65% of financial services organizations reported being hit by ransomware in 2024, up from 64% the year prior.[1] That is not a statistical blip. It is a sustained targeting pattern driven by the combination of valuable data, operational dependencies that create leverage, and the reputational cost of downtime in an industry built on trust.
The exfiltration picture is equally important. In 2024, 90% of ransomware attacks involved data exfiltration, up from 85% in 2023 and just 10% in 2019.[2] Double extortion, stealing the data and then encrypting it, is now the standard operating model, not an advanced variation. Paying the ransom or restoring from backup does not resolve the stolen data problem.
Attackers also know exactly what defenders rely on. In nine out of ten ransomware attacks against financial institutions in 2024, threat actors specifically targeted backup infrastructure.[3] The recovery plan is not invisible to the attacker. They work around it deliberately. And even when backups succeed, organizations that restored data from backups still spent an average of $375,000 in recovery costs.[4] Backup is table stakes, not a strategy.
The Window that Actually Matters
Ransomware actors do not breach a network and immediately detonate. They spend time inside: mapping the environment, escalating privileges, identifying backup systems to disable, and staging data for exfiltration. That pre-detonation window is where defenders have the best opportunity to intervene, and where most regional bank defenses have the least visibility.
The mean time to identify a breach in 2024 was 194 days, while the median dwell time from initial compromise to encryption in Q4 2024 was just four days.[5] That gap, nearly six months of potential access before detonation, represents an enormous opportunity for detection that most organizations are not capitalizing on. Sophos incident response data shows that the majority of ransomware attacks are launched between 11pm and 8am in the target’s time zone, with a strong preference for late hours at the end of the week.[6] Attackers are not operating on banker’s hours. The monitoring programs that matter are the ones running when the security team is not.
What happens during dwell time is specific and consistent: credential harvesting, privilege escalation, Active Directory enumeration, identification of backup agents and shadow copies, and data staging for exfiltration. These activities leave detectable artifacts, but only if the logging architecture captures them and someone is looking.
One Attack, Sixty Victims: The Trellance Incident
November 26, 2023. The Sunday after Thanksgiving. Approximately 60 credit unions across the country went offline simultaneously. None of them had been directly attacked.[7]
The ransomware hit Ongoing Operations, a Trellance-owned cloud services provider, with the attack linked to CVE-2023-4966, the critical Citrix vulnerability known as CitrixBleed.[8] Ongoing Operations provided disaster recovery, cloud hosting, and business continuity services to credit unions, the exact infrastructure those institutions depended on to stay operational during a crisis. A patch for CitrixBleed had been available since May 2023, six months before the attack. The attackers did not need sophisticated zero-day exploits or nation-state resources. They needed to find an organization that had not updated its systems.
Affected credit unions remained offline for roughly seventeen days before the NCUA confirmed full restoration on December 13.[9] Members could not access accounts. Small businesses using those credit unions for payroll scrambled for alternatives. The credit unions themselves had functioning backup procedures and no direct compromise of their own networks, and it did not matter. Their recovery timeline was entirely dependent on a vendor they did not control.
This was not an isolated pattern. That same month, LockBit used the identical CitrixBleed vulnerability to breach ICBC’s U.S. financial services unit, disrupting Treasury trade clearing for one of the world’s largest banks.[10] Same CVE, same attack window, different scale. The technical entry point does not distinguish between institution size.
The lesson that transfers directly to regional banks: your attack surface includes every vendor with privileged access to your environment. Most institution-level security assessments do not test those paths.
What Offensive Testing Actually Finds
When red teams operate inside regional bank environments, certain findings appear with enough consistency to be worth naming directly.
Backup systems are frequently reachable from the same network segments as production infrastructure. The logical separation documented in architecture diagrams does not always reflect what is actually accessible via lateral movement. An attacker who gains a foothold on an endpoint can often reach backup agents without crossing any meaningful boundary.
Service accounts are routinely over-permissioned. Accounts created for specific integrations accumulate privileges over time and are rarely audited. From an attacker’s perspective, these are the lateral movement paths that make privilege escalation straightforward. Finding an account with domain admin rights that was provisioned for a legacy application three years ago is not unusual.
Logging coverage has gaps that align with attacker behavior. Authentication events from legacy protocols, off-hours activity on service accounts, and lateral movement between internal segments are often undercaptured. In environments where EDR covers endpoints but network-level logging is sparse, the pre-detonation activity that matters most may generate no alerts at all.
Third-party access pathways are almost always under-scoped. Vendors with remote access to core banking systems, managed service providers with elevated credentials, and integration accounts connecting core platforms to ancillary services create access paths that do not appear in standard vulnerability scans. Red team exercises that follow these pathways frequently reach critical systems without triggering any detection.
Building Defenses Calibrated to the Actual Threat
Addressing the pre-detonation window requires investment in three areas that often lag behind recovery planning.
Detection before detonation means threat hunting calibrated to ransomware actor TTPs, not just generic anomaly thresholds. The behavioral signatures of credential harvesting, Active Directory enumeration, and backup targeting are well-documented and can be hunted proactively. For regional banks without dedicated SOC staff, this is an area where managed detection partnerships add real value, particularly if those partners have offensive experience and understand what attacker behavior actually looks like.
Network segmentation that is tested, not assumed. Architecture diagrams and firewall rules should be validated against actual lateral movement scenarios. The question worth asking is not whether segmentation is documented; it is whether an attacker who compromises a branch workstation can reach core banking systems. The answer in untested environments is often yes.
Backup architecture hardened against the specific techniques attackers use. Shadow copy deletion, backup agent compromise, and targeting of network-attached storage are standard playbook items for ransomware groups. Backup systems should be isolated, access-controlled, and specifically tested against these scenarios, not just tested for restoration capability under normal conditions.
From a regulatory standpoint, FFIEC guidance on operational resilience and the OCC’s increasingly specific expectations around third-party risk management are pointing at exactly these gaps. Examiners are asking harder questions about vendor security assessment and incident response capability. The institutions that can answer those questions with technical evidence rather than documentation are in a materially better position.
The Question Worth Asking
Recovery planning answers: can we survive a hit? That is a necessary question. It is not sufficient.
The question that most regional bank security programs have not fully answered is: would we know if someone was already inside? Not whether antivirus is installed, but whether the specific behavioral patterns of a ransomware actor operating during off-hours, moving laterally through service accounts, and staging data for exfiltration would generate an alert that someone would see and act on.
The Trellance incident took 60 institutions offline for over two weeks through a vulnerability that had a published patch for six months. The technical entry was unremarkable. What was remarkable is how far the impact traveled before anyone detected it. That is the gap worth closing.
References
[1] Sophos. “The State of Ransomware in Financial Services 2024.” Sophos, 2024. https://invenioit.com/continuity/ransomware-attacks-finance/
[2] PurpleSec. “Average Cost of Ransomware Attacks.” PurpleSec, 2024. https://purplesec.us/learn/average-cost-of-ransomware-attacks/
[3] JumpCloud. “2024 Ransomware Attack Statistics and Trends.” JumpCloud Blog, 2024. https://jumpcloud.com/blog/2024-ransomware-attack-statistics-trends-to-know
[4] Sophos. “The State of Ransomware in Financial Services 2024.” Sophos, 2024. https://invenioit.com/continuity/ransomware-attacks-finance/
[5] Halcyon. “Ransomware Statistics 2024.” Bright Defense, 2025. https://www.brightdefense.com/resources/ransomware-statistics/
[6] Wisniewski, Chester. “Ransomware Attack Dwell Times Fall, Pressuring Companies to Quickly Respond.” Cybersecurity Dive, August 23, 2023. https://www.cybersecuritydive.com/news/ransomware-attack-dwell-times-sophos/691576/
[7] Centrexit. “60 Credit Unions Went Dark the Sunday After Thanksgiving.” Centrexit, December 10, 2025. https://centrexit.com/credit-union-ransomware-supply-chain-attack/
[8] Toulas, Bill. “Dozens of Credit Unions Confront Outages Linked to Third-Party Ransomware Attack.” Cybersecurity Dive, December 4, 2023. https://www.cybersecuritydive.com/news/credit-unions-outages-ransomware/701442/
[9] Toulas, Bill. “Credit Unions Recover from Outages Caused by Third-Party Ransomware Attack.” Cybersecurity Dive, December 14, 2023. https://www.cybersecuritydive.com/news/credit-unions-recover-third-party-ransomware/702540/
[10] Recorded Future News. “Industrial and Commercial Bank of China Dealing with LockBit Ransomware Attack.” The Record, November 2023. https://therecord.media/icbc-dealing-with-ransomware-attack