Destructive Attacks on Financial Institutions Surge 13%: The 2025 Threat That Validated DORA
Destructive Attacks on Financial Institutions Surge 13%: The 2025 Threat That Validated DORA
When DORA was adopted in December 2022 and entered into force in January 2023, critics argued that the regulation was an overreaction — that existing supervisory frameworks were sufficient to manage ICT risk in financial services. The data from 2024, reported by Infosecurity Magazine on February 5, 2025, suggests otherwise.
Destructive cyberattacks against financial institutions increased by 13% in 2024 compared to 2023. This is not the headline statistic about overall cyber incidents (which also rose). This is specifically about attacks designed to destroy data, disable systems, and cause irrecoverable damage — the category of threat that DORA's resilience testing and recovery provisions were specifically designed to address.
The 2024 Destructive Threat Landscape
The 13% surge in destructive attacks encompasses several threat categories, each with distinct characteristics and implications for financial institutions:
| Attack Category | 2023 Volume | 2024 Volume | Change | Primary Actors |
|---|---|---|---|---|
| Wiper malware | Baseline | +22% | Significant increase | State-sponsored (Russia, Iran) |
| Destructive ransomware (no decryption) | Baseline | +18% | Significant increase | Criminal + state-aligned |
| Infrastructure sabotage | Baseline | +8% | Moderate increase | Hacktivist + state-sponsored |
| Data destruction (targeted) | Baseline | +5% | Moderate increase | Insider + criminal |
| Overall destructive attacks | Baseline | +13% | Weighted average | Mixed |
The distinction between "destructive" and traditional cybercrime is critical. Traditional ransomware encrypts data and offers decryption for payment — the attacker's incentive is financial, and recovery is theoretically possible. Destructive attacks aim to permanently destroy data and disable systems. There is no key to buy, no ransom to pay. Recovery depends entirely on the victim's backup integrity and resilience architecture.
Wiper Malware: The Most Concerning Trend
The 22% increase in wiper malware targeting financial institutions is the most significant finding. Wiper malware — software designed to irreversibly destroy data by overwriting storage — was previously associated almost exclusively with state-sponsored campaigns in the context of armed conflict (NotPetya in 2017, HermeticWiper in 2022).
The 2024 data shows wiper deployments expanding beyond conflict zones into broader financial sector targeting. SecurityScorecard threat intelligence analysis attributed the expansion to two factors: state-sponsored groups diversifying their target sets beyond immediate adversaries, and criminal groups adopting destructive techniques as an escalation tactic when ransom negotiations fail.
Why This Validates DORA
The 2024 destructive attack data validates DORA's regulatory approach in four specific areas:
1. Resilience Testing Is Not Optional (Articles 24-27)
DORA's resilience testing programme requires financial entities to test their ability to withstand and recover from ICT disruptions. The 13% surge in destructive attacks demonstrates that the threat these tests must address is not theoretical — it is active and growing.
The distinction between availability testing (can we failover?) and recovery testing (can we recover from total destruction?) becomes critical. Many financial institutions' testing programmes focus on the former. The destructive threat landscape demands the latter.
Specifically, TLPT requirements for significant financial entities must now include wiper malware scenarios. A test that validates failover to a secondary site is insufficient if the wiper has already propagated to the secondary through replicated environments.
2. Backup Integrity Is the Last Line of Defense (Article 12)
DORA Article 12 requires ICT response and recovery plans, including backup and restoration procedures. In a destructive attack scenario, backups are the only path to recovery. If backups are compromised — through the same attack vector that deployed the wiper — the institution faces permanent data loss.
The 2024 data shows attackers increasingly targeting backup infrastructure specifically. Wiper variants now include modules that seek out and destroy backup repositories, shadow copies, and disaster recovery environments before attacking production data.
3. Incident Classification Must Account for Destruction (Articles 17-19)
DORA's incident classification framework must distinguish between service outages (recoverable) and destructive events (potentially irrecoverable). The regulatory technical standards for incident classification address severity based on impact duration and scope, but the permanence of destruction adds a dimension that deserves explicit treatment.
A wiper attack that destroys 48 hours of transaction data is categorically different from a DDoS attack that causes 48 hours of service unavailability. The former may require manual reconciliation across multiple institutions; the latter resolves when the attack stops.
| Incident Type | Impact Duration | Recoverability | DORA Classification | Regulatory Notification |
|---|---|---|---|---|
| DDoS attack | Hours | Full (service resumes) | Major if thresholds met | Art. 19 if major |
| Ransomware (with key) | Days | Full (after decryption) | Major | Art. 19 mandatory |
| Destructive ransomware | Weeks | Partial (backup-dependent) | Critical | Art. 19 + potential Art. 45 |
| Wiper malware | Permanent | Backup-dependent | Critical | Art. 19 + potential systemic |
4. Third-Party Resilience Matters (Articles 28-30)
The supply chain dimension of destructive attacks is particularly relevant to DORA. Several 2024 wiper campaigns reached financial institutions through compromised third-party software updates — the same supply chain attack vector that made SolarWinds and Kaseya notorious.
DORA Article 28 requires financial entities to assess the ICT risk of their third-party providers. The 2024 data demonstrates that this assessment must include the provider's ability to detect and prevent the distribution of destructive malware through their update channels.
The Financial Sector as Target: Why Banks?
The financial sector was the second most targeted industry for destructive attacks in 2024, after government/military. Three factors explain this targeting:
Strategic value: For state-sponsored attackers, the financial sector is a high-value target because disruption has cascading economic effects. Destroying a major bank's transaction data creates systemic uncertainty that affects the entire economy.
Leverage potential: For criminal groups using destructive tactics as escalation, financial institutions have the highest willingness-to-pay. The cost of permanent data loss to a bank is orders of magnitude higher than the ransom demand.
Interconnected architecture: Financial institutions are interconnected through payment systems, clearing houses, and correspondent banking relationships. A destructive attack on one institution can propagate through these connections, creating systemic risk.
Recommendations for DORA-Regulated Entities
The 2024 destructive attack data should inform concrete changes in DORA implementation:
1. Add destruction scenarios to your testing programme. Your resilience testing must include scenarios where production data and backup infrastructure are simultaneously compromised. Test whether your institution can recover from a wiper attack that targets both primary and secondary environments.
2. Implement air-gapped backups. Online backups that are reachable from the production network are vulnerable to wiper propagation. At least one backup copy must be air-gapped (physically disconnected) or immutable (write-once storage that cannot be overwritten or deleted).
3. Test backup integrity regularly. A backup that exists but has not been verified is not a backup — it is a hope. Restore tests should be conducted on a regular schedule, with the results documented for supervisory examination.
4. Update your incident response for destruction. Your incident management process needs a specific playbook for destructive attacks. The initial response — particularly around evidence preservation and blast radius containment — is different from the response to a conventional breach.
5. Assess third-party update channels. Review how your critical ICT providers deliver software updates. Assess whether the update channel could be used to distribute destructive malware, and whether the provider has controls (code signing, integrity verification, staged rollout) to prevent supply chain attacks.
| Action | Priority | DORA Article | Implementation Effort |
|---|---|---|---|
| Destruction scenario testing | Critical | Art. 24-25 | Medium — scenario design + execution |
| Air-gapped/immutable backups | Critical | Art. 12 | Medium — infrastructure investment |
| Backup integrity verification | High | Art. 12 | Low — procedural + scheduling |
| Destruction-specific IR playbook | High | Art. 17 | Low — documentation + tabletop |
| Third-party update channel review | Medium | Art. 28 | Medium — vendor engagement |
Conclusion
The 13% surge in destructive attacks against financial institutions in 2024 is not just a threat intelligence statistic. It is the empirical validation of DORA's regulatory hypothesis: that the financial sector faces ICT risks severe enough to warrant dedicated operational resilience regulation.
The European Parliament and Council adopted DORA based on the assessment that voluntary cybersecurity measures were insufficient for the financial sector's systemic importance. The 2024 data proves them right. Destructive attacks are increasing in volume, sophistication, and targeting precision. The question is no longer whether DORA is necessary — it is whether financial institutions are implementing it fast enough to outpace the threat.
Voir aussi: Cyber Threats to European Banks 2025 | DORA Testing Programme Roadmap | Third-Party Breach Affecting European Banks
Resume en francais
Le 5 fevrier 2025, Infosecurity Magazine a rapporte une augmentation de 13% des cyberattaques destructrices contre les institutions financieres en 2024. Les malwares de type wiper ont augmente de 22%, les ransomwares destructifs de 18%, et le sabotage d'infrastructure de 8%. Le secteur financier etait la deuxieme industrie la plus ciblee apres le gouvernement/militaire. Ces donnees valident l'approche reglementaire de DORA dans quatre domaines : les tests de resilience (Art. 24-27) doivent inclure des scenarios de destruction, l'integrite des sauvegardes (Art. 12) est la derniere ligne de defense, la classification des incidents (Art. 17-19) doit distinguer entre interruption et destruction, et la resilience des tiers (Art. 28-30) doit couvrir les attaques de chaine d'approvisionnement. Les recommandations incluent l'ajout de scenarios de destruction aux programmes de test, la mise en oeuvre de sauvegardes air-gap, la verification reguliere de l'integrite des sauvegardes, et la revision des canaux de mise a jour des tiers.