Black Kite’s 2026 State of Financial Services Report Reveals Ransomware Surge and Vulnerability Deluge Driving Two-Front Cyber Threat

Q1 2026 direct ransomware attacks on financial institutions spiked 76% year-over-year, while 50% of financial vendor ecosystems carry critical vulnerabilities

BOSTON, June 3, 2026 /PRNewswire/ — Black Kite, the leader in third-party cyber risk management, today released its newest report, 2026 State of Financial Services: The Dual Storm of Ransomware and Vendor Ecosystem Risk, which explores how direct attacks and supply chain risk are now rising together. The report found that direct ransomware attacks are escalating again and occurring concurrently with a massive surge in vendor vulnerabilities, shifting the industry from a single-direction tactical problem to a two-front structural crisis.

“Last year, we saw attackers shift focus to weaker third parties as direct ransomware attacks declined. This year’s findings prove that reprieve is over,” said Ferhat Dikbiyik, Chief Research & Intelligence Officer at Black Kite. “Direct attacks are climbing again, and the vendor ecosystem is measurably more vulnerable. Financial institutions cannot solve this through internal controls alone. The visibility, response speed, and depth of analysis required to manage this category of risk sit at the third-party layer.”

The financial sector’s 2024 relief, which was largely fueled by law enforcement disruptions of major ransomware groups like LockBit and Clop, was short-lived. In 2025, direct attacks rebounded as operators restructured under new banners. This fracturing ecosystem saw the number of distinct threat groups targeting finance climb from 37 in 2023, to 45 in 2024, and to 48 in 2025, led by threat actors Qilin, Akira, and Kill Security.

Ransomware targeting within finance has shifted significantly since 2023. In 2023, banks were the primary ransomware target with 71 disclosures compared to 44 disclosures reported by investment firms. By 2025, those positions reversed, banking incidents fell to 36 disclosures, and investment firm disclosures nearly doubled, as they became the most-targeted segment with 84 disclosures (41.6% of all incidents). This investment-sector surge was driven by a September 2025 campaign against South Korean asset managers, which accounted for 32 disclosures (38.1% of the subindustry’s total).

The CVE Volume Problem Is Accelerating, and the Gap is Widening
Over 48,000 CVEs were published globally in 2025 alone, an 18% year-on-year increase. Growing AI adoption is expected to further increase that volume through both AI-assisted vulnerability discovery and the widespread use of AI systems as new attack surfaces. In the 2026 Supply Chain Vulnerability Report, Black Kite Research Group identified 1,240 CVEs as high-priority for third-party risk in 2025, a 59% increase since 2024.

Across all financial services vendors, 50.2% carry high-severity CVEs. As CVE volume increases and exploitation timelines compress globally, the operational impact on financial institutions is becoming increasingly direct. According to Verizon’s latest Data Breach Investigations Report (DBIR), vulnerability exploitation overtook phishing as the leading initial access vector for breaches for the first time in the report’s history. In this environment, visibility into the supply chain vulnerabilities that can introduce the greatest operational risk is essential.

Key findings from the report:

• Ransomware returns to finance: Direct ransomware attacks on financial institutions resumed their upward trajectory in 2025 after a brief decline the year before. Reported incidents increased by 30% from 2024 to 2025, while early 2026 data indicates the trend is accelerating further, with Q1 incidents rising 76% year-over-year.
• Vendor risk is a sector-wide threat: In September 2025, Qilin’s compromise of a single South Korean MSP cascaded into 32 financial institutions and over 2 terabytes of stolen data, making South Korea the second-most-targeted country for finance ransomware that year.
• A reorganized threat ecosystem: The number of distinct threat groups targeting finance climbed to 48 in 2025, led by emerging threat actors Qilin, Akira, and Kill Security. The dismantlement of major ransomware groups did not reduce the threat; it rerouted it. Operators from disrupted groups have rebuilt under new banners. Emerging actors have rapidly filled the vacuum, with Qilin alone responsible for 59 finance-sector incidents in the past year.
• Vendor vulnerabilities multiply: From 2024 to 2025, the number of critical vulnerabilities carried across vendors serving the financial sector increased 387%. Among the 140 vendors whose client base is meaningfully concentrated in finance, critical vulnerabilities increased 181%.
• Active exploitation at scale: 54% of the 140 vendors whose client base is meaningfully concentrated in finance carry at least one vulnerability listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, meaning those vulnerabilities are actively being exploited in the wild.
• Patch management gaps are widespread across the financial supply chain: Critical-level patch management failures are present in 78% of the 140 vendors whose client base is meaningfully concentrated in finance. As exploit timelines compress and vulnerability exploitation overtakes phishing as a leading breach vector, the ability to identify, prioritize, and drive remediation of the most critical exposures across the vendor ecosystem is becoming increasingly essential.

Financial institutions now face simultaneous pressure from direct ransomware targeting and the growing volume of exploitable vulnerabilities carried across their vendor ecosystem. While the sector itself operates under extensive regulatory scrutiny, many third-party vendors face far less pressure to mature at the same pace, widening the exposure gap across the financial supply chain.

As vulnerability exploitation becomes a leading initial access vector and exploit timelines continue to compress, resilience increasingly depends on the ability to continuously identify, prioritize, and respond to critical exposures across both internal environments and third-party relationships. In this environment, capabilities such as continuous monitoring, predictive analytics, and quantified risk are no longer differentiators, but operational requirements.

To read the report, visit https://blackkite.com/reports/2026-financial-services-report.

Methodology
The data presented in this report is the result of a multi-source, intelligence-led investigation by the Black Kite Research Group™. This report integrates several streams of intelligence curated by the Black Kite Research Group between January 2023 and Q1 2026. The ransomware-related data specifically includes only confirmed victims where both encryption and data leaks were verified, and attribution to a known ransomware group was clearly established. All vendor-related data was derived from Black Kite’s proprietary telemetry and publicly available information, supplemented by intelligence gathered from surface, deep, and dark web sources.

About Black Kite
Black Kite is the AI-native third-party cyber risk management platform trusted by over 3,000 customers to manage every supplier and every risk across their extended ecosystem. Powered by the industry’s highest-quality risk intelligence, spanning over 40 million companies, Black Kite is differentiated by the accuracy, transparency, and actionability of its data. The platform automates vendor monitoring and risk assessments, surfacing reliable insights into ransomware susceptibility, regulatory gaps, financial exposure, and more. With Black Kite, security and risk teams gain always-on visibility and trusted intelligence to act early, reduce exposure, and stay ahead of third-party threats. Black Kite has received numerous industry awards and recognition from customers. Learn more at www.blackkite.com, or on the Black Kite blog.

Media Contact:
Michelle Kearney
Hi-Touch PR
443-857-9468
[email protected]

View original content to download multimedia:https://www.prnewswire.com/news-releases/black-kites-2026-state-of-financial-services-report-reveals-ransomware-surge-and-vulnerability-deluge-driving-two-front-cyber-threat-302787164.html

SOURCE Black Kite