Skip links

Broader investment in cybersecurity beginning to pay dividends

An increased willingness on the part of enterprises to invest in cybersecurity may finally be starting to make a difference, according to US law giant BakerHostetler.

While ransomware was involved in 37 percent of 1,270 incidents the firm handled during 2021, up 10 percent on 2020, today’s Data Security Incident Response Report [PDF] suggests that growing uptake of mitigation techniques like multifactor authentication (MFA) and backups are driving the price of ransoms down.

“Of the ransomware matters we helped manage in 2021, the average ransom demand paid was around $511,957, roughly two-thirds the average amount paid in 2020,” the report said.

The company noted that the median time between demand and payment had lengthened from five days in 2020 to eight. “This is likely a driving factor in the decrease in the average ransom demand paid,” according to the report.

“More organizations have invested in improving their data backup capabilities and are able to continue at least partial operations after a ransomware incident, which puts them in a better position to negotiate for a longer period of time and reach a greater discount for the ransom demand, if the need to pay arises,” the firm claims.

“Also, if a decryptor tool is not needed and an organization is only paying to prevent further disclosure of their data, they can often take more time to negotiate the demand, which can lead to a deeper discount.”

The numbers are stark. BakerHostetler said that the largest ransom demand made to a client in 2021 was more than $60 million, compared to $65 million the year before. But the largest ransom paid out was just $5.5 million.

The report also highlighted an average time from demand to payment of 11.1 days, 9.8 for payments over $1 million, 13 for payments ranging from $200,000 to $1 million, and 12.2 days from encryption to restoration.

The broader embrace of cybersecurity tools and measures means companies have also become more capable of identifying breaches. BakerHostetler adds that the median number of days between intrusion and detection in 2021 was nearly half what it was in 2020.

“Organizations are detecting intrusions more quickly and many threat actors are no longer lingering in systems before accomplishing their objectives. Criminals don’t want to be detected and kicked out, so they are shortening their own dwell times.

“Additionally, the notification timeline is trending down due in part because threat actors are more quickly providing information about the data they stole. This then informs the forensic investigation, which can focus on the systems from which the data came, giving a better and earlier understanding about the data involved, thus enabling earlier notification timelines.”

This also applied to thwarting fraudulent fund transfers via phished email addresses. “Our clients were able to identify fraudulent fund schemes before transferring funds more frequently in 2021 than in 2020. In fact, in 2021, 40 percent of clients identified fraudulent fund transfer schemes before any loss of funds, as compared to just 30 percent in 2020.

Confessions of a ransomware negotiator: Well, somebody’s got to talk to the criminals holding data hostage


“This trend likely results from more employee education and training on direct deposit, wire transfer, and ACH payment protocols, and on identifying potential fraudulent fund transfer schemes before losses occur.”

However, the law firm noted that although organizations are improving their response to security incidents, this did not protect them from the risk of legal action from clients.

From 23 incidents BakerHostetler handled, more than 58 lawsuits were filed. Breaking that down, eight incidents had more than one (but less than five) lawsuits filed, four incidents had five or more, and 43 suits were against a healthcare organization.

Official advice in the Anglosphere is not to cave to ransomware demands because it only serves to affirm the attack method as a viable business model for criminals. However, if the conclusions in the report are to be believed, investing in security and training is having a similar if subtle effect.

You can read The Reg‘s special feature on what to do when you’re hit by ransomware – including advice on your interaction with insurers and cyberexperts you might hire afterwards – here; our special on corporate ransomware-as-aservice gangs here; and our conversation with an ex-cop who works as a ransomware negotiator here. ®