More Resilient Organizations Successfully Battled Ransomware in 2024: BakerHostetler

An annual report from law firm BakerHostetler said companies “are starting to win the battle against ransomware.”

In its 11th year, the report from the firm’s Digital Assets and Data Management (DADM) Practice Group, who handled over 1,250 cyber incidents in 2025, said organizations are more resilient with better backup strategies. In fact, organizations rarely need to pay for a decryption key, according to BakerHostetler.

“The industry supporting compromised entities has matured,” said Ted Kobus, chair of the group, in the report. “As a result, we see shorter dwell time, shorter time to containment, faster completion of forensic investigations, lower cost for forensic investigations, shorter time to restoration after ransomware deployment, and declining ransom payment amounts.

“The combined efforts of carriers, brokers, law firms, forensic firms, restoration firms, ransom negotiation and payment facilitation firms, and law enforcement have yielded positive results.”

The reported credited law enforcement with the takedown of individuals from some of the largest ransomware groups, such as LockBit and Scattered Spider.

The average ransom paid was $501,388 in 2024 (excluding one outsized ransom payment of $20 million), down 33% compared to $747,651 in 2023. Payment is made more often to pay to prevent publication of stolen data rather than to get a decryptor. Thirty-six percent of ransomware or extortion victims paid the ransom last year.

BakerHostetler also reported a 30% drop in forensic investigation costs in 2024, marking a three-year low.

Looking at other findings, BakerHostetler said the healthcare industry was the most targeted in 2024, with 36% of incidents targeting healthcare—including biotech and pharmaceuticals. Network intrusion led all incident types at 47%, and the most common root cause of incidents was phishing—including spear phishing, vishing, and quishing (using QR codes).

“From phishing or spear phishing emails to the social engineering of help-desk employees, attackers continue to refine their techniques, exploiting people as the weakest link in an organization’s cybersecurity defenses,” BakerHostetler said.

Topics
Cyber