An annual report from law firm BakerHostetler said companies “are startin
g to win the battle against ransomware.”
In its 11th year, the report from the firm’s Digital Assets and Data Manage
ment (DADM) Practice Group, who handled over 1,250 cyber incidents in 2025,
said organizations are more resilient with better backup strategies. In fact, organiza
tions rarely need to pay for a decryption key, according to BakerHostetler.
“The industry supporting compromised entities has matured,” said Ted K
obus, chair of the group, in the report. “As a result, we see shorter dwell time, shorter time to containment, faster completion of fore
nsic investigations, lower cost for forensic investigations, shorter t
ime to restoration after ransomware deployment, and declining ransom payment amounts.
“The combined efforts of carriers, brokers, law firms, forensic firms, restor
ation firms, ransom negotiation and payment facilitation firms, and law enfo
See more beautiful photo albums Here >>>
rcement have yielded positive results.”
The reported credited law enforcement with the takedown of individ
uals from some of the largest ransomware groups, such as LockBit and Scattered Spider.
The average ransom paid was $501,388 in 2024 (excluding one outs
ized ransom payment of $20 million), down 33% compared to $747,651 in 2
023. Payment is made more often to pay to prevent publication of stolen data ra
ther than to get a decryptor. Thirty-six percent of ransomware or extortion victims paid the ransom last year.
BakerHostetler also reported a 30% drop in forensic investigation costs in 2024, marking a three-year low.
Looking at other findings, BakerHostetler said the healthcare industry was the most targeted in 2024, with 36% of incidents targeting healthcare—including biotech and pharmaceuticals. Network intrusion led all incident types at 47%, and the most common root cause of incidents was phishing—including spear phishing, vishing, and quishing (using QR codes).
“From phishing or spear phishing emails to the social engineering of help-desk employees, attackers continue to refine their techniques, exploiting people as the weakest link in an organization’s cybersecurity defenses,” BakerHostetler said.
