Ransomware has evolved. The attacks that once held data hostage now target something more valuable: your company’s ability to operate.
Modern ransomware campaigns don't just encrypt files. They disable payment platforms, lock out fraud-detection tools and sever access to vendor records. The goal is operational paralysis, and the extortion that follows. And in that window of chaos, secondary attacks often occur.
$820M
In 2025, ransomware payments exceeded $820 million globally, according to Chainalysis.1
Average downtime after an attack stretches to 21 days.2 But the direct costs—ransom payments, recovery expenses and lost revenue—are only part of the picture. The often-overlooked risk is what happens while your defenses are down.
AI is accelerating the threat on both sides, automating reconnaissance and compressing the timeline from breach to damage. Ransomware’s immediate damage is severe. But the secondary effects—what it disables, and what that enables—can be costly, too.
The attack after the attack
When ransomware hits, the immediate crisis consumes attention. IT teams work to isolate affected systems. Leadership weighs ransom decisions. Communications scrambles to manage stakeholders. Treasury, meanwhile, faces a problem that can’t wait: Payments still need to move.
Vendors expect settlement. Payroll deadlines don’t shift. Urgent transactions queue up for approval. And the controls that would normally screen those payments? They’re locked out with everything else.
This is the window where secondary fraud flourishes.
Bad actors know that a ransomware event means reduced oversight. Payment requests that would normally trigger review may sail through because the review mechanisms are offline. Fraudulent account changes go unverified because verification tools are inaccessible. The chaos becomes cover.
The scenario: A regional healthcare network
A ransomware attack encrypts the internal systems of a regional healthcare network with $2 billion in annual revenue. Claims processing stops. The ERP is offline. Vendor records are inaccessible.
Within hours, treasury starts receiving urgent payment requests. Some are legitimate—a medical supplier threatening to halt shipments, a staffing agency demanding immediate settlement. Others are harder to verify. An email from a known vendor includes updated banking details. A request from the CFO’s address flags a time-sensitive wire for a “confidential settlement.”
Under normal circumstances, these would trigger verification workflows. The team would check account details against the vendor master. They’d validate that the receiving account matches the expected counterparty. They’d flag the velocity and timing anomalies.
But the tools that enable those checks live on the same network that’s currently encrypted. Treasury is flying blind.
By the time systems are restored 18 days later, three fraudulent payments totaling $1.4 million have cleared. The vendor with “updated banking details” was a spoofed request. The “confidential settlement” went to an account controlled by the attackers. The funds are unrecoverable.
The scenario revisited: Defenses that don’t go dark
Now consider the same attack—but with Payment Control Center, Validation Services and Account Confidence Score running on the J.P. Morgan infrastructure rather than the healthcare network’s own systems.
The ransomware attack encrypts internal systems. The ERP goes dark. Vendor records are inaccessible. But when treasury logs into J.P. Morgan Access, their fraud defenses are operational—because those defenses don’t live on the compromised network.
The same urgent payment requests arrive. Here’s what happens:
- The “updated banking details” request: Before the payment is approved, Account Validation Services checks the new account against J.P. Morgan and third-party data sources. The account holder is listed as “XYZ Medical Supply LLC,” but the invoice reads “XYZ Medical Supplies Inc.” The account was opened six days ago, despite a vendor relationship that spans eight years. Account Confidence Score returns an amber signal: “Needs Review.” The payment is paused. A callback to the vendor’s known number confirms no banking change was requested.
- The “confidential settlement” wire: Payment Control Center flags multiple anomalies. The request came outside normal business hours. The amount, $400,000, is 12 times this user’s typical transaction size. The beneficiary account has never received a payment from this organization. The velocity is unusual: three high-value wires initiated within 20 minutes. The payment is held for secondary approval. A verification call to the CFO at a known number confirms the request is fraudulent.
- The legitimate supplier payment: Entity Validation Services confirms the account holder matches the expected vendor. The account has received 47 prior payments from this organization. Account Confidence Score returns green. Payment Control Center sees no behavioral anomalies. The payment clears in real time. The supplier ships. Operations continue.
Total fraud loss: zero. Total operational disruption to payment flows was minimal.
Why separation matters
When your fraud defenses run on your own infrastructure, they share your vulnerabilities. A ransomware attack that encrypts your network encrypts your controls. A breach that compromises your systems compromises your verification tools.
When those defenses run on J.P. Morgan infrastructure, they’re insulated from attacks on your environment. The separation is the foundation that makes every other control possible.
This is what J.P. Morgan Trust & Safety Solutions provide:
-
Payment Control Center screens ACH and wire payments against configurable rules that reflect your payment patterns—beneficiaries, amounts, timing, velocity and context. It flags anomalies before funds move, pausing outliers for review while legitimate payments flow at speed.
-
Validation Services—including Account Validation Services and Entity Validation Services—help verify receiving accounts are legitimate and account holders match expected counterparties. Coverage spans over 80% of U.S. bank accounts.
-
Account Confidence Score evaluates account fraud risk using AI and machine learning, synthesizing signals from J.P. Morgan network and third-party data to surface fraud indicators at the moment of approval.
Together, these tools form a defensive layer that operates continuously—before, during and after a ransomware event—because they don’t depend on your systems staying online
The controls you have vs. the controls you use
Payment Control Center’s value scales with configuration. Generic thresholds catch obvious anomalies; rules tuned to your specific payment behaviors catch the subtle ones. Clients using targeted rules have reduced manual review volume while catching more actual fraud.
Validation Services can run automatically on every payment or be triggered selectively. The more consistently they’re applied, the smaller the window for fraudulent account changes to slip through.
Account Confidence Score provides the most value when it’s integrated into approval workflows—not reviewed after the fact but surfaced at the moment of decision.
These tools’ effectiveness depends on how they’re deployed. A ransomware event is a stress test for your configuration choices.
What this means for your organization
Ransomware exploits a simple truth: Most fraud defenses assume they’ll be available when needed. When they're not, attackers gain a window—and that window is often more costly than the ransomware itself.
Platform resilience changes the equation. When your fraud tools live on infrastructure designed to stay operational during an attack on your environment, you maintain visibility when it matters most. Secondary fraud meets defenses that never went dark. Recovery timelines compress because payment operations never fully stopped.
Your organization will likely face a ransomware attempt. The question is whether your fraud defenses will be online when it happens.
Talk with J.P. Morgan Payments
Ready to help your fraud defenses stay operational—even when your systems don’t?
Connect with your J.P. Morgan representative or visit J.P. Morgan Payments Trust & Safety Solutions to explore deployment options for your business.
Disclaimer
© 2026 JPMorgan Chase & Co. All rights reserved. JPMorgan Chase Bank, N.A. Member FDIC. Deposits held in non-U.S. branches are not FDIC insured. Non-deposit products are not FDIC insured. The statements herein are confidential and proprietary and not intended to be legally binding. Not all products and services are available in all geographical areas.
Visit jpmorgan.com/paymentsdisclosure for further disclosures and disclaimers related to this content.
