Nearly two-thirds (63%) of global financial institutions have seen an increase in destructive attacks over the past year, and many fear new threats as the war in Ukraine escalates, according to VMware.

The company surveyed 130 financial sector CISOs and security managers around the world to compile its Modern bank robberies report.

The number reporting an increase in destructive malware jumped 17% from last year’s report, according to chief cybersecurity strategist Tom Kellermann.

Although criminals often use this technique to destroy evidence and confuse incident response teams, there is the prospect of more attacks in which erasing data is the primary goal.

“Destructive attacks are launched in a punitive manner to destroy, disrupt, or degrade victim systems by taking actions such as file encryption, data deletion, destruction of hard drives, termination of connections, or execution of malicious code”, says Kellerman.

“In fact, we recently witnessed the launch of destructive malware like HermeticWiper after Russia invaded Ukraine. Notably, the majority of financial executives I spoke to for this report said Russia posed the greatest concern to their institution.

This week, intelligence group Five Eyes repeated warnings of Russian state-sponsored attacks on Western critical infrastructure and potential threats from cybercrime groups in the region.

Banks would undoubtedly be in the crosshairs of possible cyber-retaliations, given the major impact of economic sanctions on Russia.

The report also found that three-quarters (74%) of respondents had experienced at least one ransomware attack in the past year, with 63% having paid the ransom – a figure Kellermann called “staggering”.

Ransomware-as-a-service offerings and remote access tools (RATs) have helped cybercriminals gain an advantage in this area, he argued.

“Ransomware has a sinister relationship with these RATs, as these tools allow bad actors to persist in the environment and establish an intermediary server that can be used to target additional systems,” Kellermann continued.

“Once an adversary has gained this limited access, they will typically attempt to monetize it by relying on victim data for extortion (including double and triple extortion) or by stealing resources to cloud services using cryptojacking attacks.”