Ride the Lightning

2022 Data Security Incident Response Report Issued by BakerHostetler

April 13, 2022

We always enjoy reviewing the annual reports by BakerHostetler detailing stats about the security incidents they dealt with in the preceding year. Every firm will vary in its stats, but this report always provides a fascinating look at how security incidents are evolving.

Help Net Security posted highlights from the report on April 11.

“The most frequent client requests this year included assistance with the ransom ‘pay-no pay’ decision tree, OFAC compliance, and ransomware playbooks,” according to Ted Kobus, Chair of the Digital Assets and Data Management Group at BakerHostetler.

Varying stats from different sources make it difficult to see what the overall landscape looks like.

Recent numbers provided by Palo Alto Networks and Coveware show that the average amount organizations pay to get their data back has risen considerably: Coveware says $322,168 (in Q4 2021) and PAN says $541,010 (in all of 2021, for cases worked by its Unit 42 consultants).

BakerHostatler’s report, which is based on the incidents the law firm handled in 2021, shows a similar picture, but says that the average ransom demand paid in 2021 ($511,957) is roughly two-thirds the average amount paid in 2020, a notable decrease.

“Over the same time period, the median time between demand and payment was eight days compared to five days in 2020. This is likely a driving factor in the decrease in the average ransom demand paid,” the law firm pointed out.

“More organizations have invested in improving their data backup capabilities and are able to continue at least partial operations after a ransomware incident, which puts them in a better position to negotiate for a longer period of time and reach a greater discount for the ransom demand, if the need to pay arises. Also, if a decryptor tool is not needed and an organization is only paying to prevent further disclosure of their data, they can often take more time to negotiate the demand, which can lead to a deeper discount. Developing business continuity protocols and identifying workarounds for critical business operations — prior to an incident — are key to placing organizations in the strongest position if they experience a ransomware incident.”

BakerHostatler’s report also says that:

Ransomware represented 37% of the matters they handled in 2021 (compared to 27% in 2020).

Data exfiltration is the “new normal” for ransomware attacks. Another stat I read elsewhere said that exfiltration happens more than 80% of the time.

Companies have improved their ability to restore from backups. Absolutely true from my foxhole. Law firms and other businesses are usually able to recover, often detecting a problem quickly and “rolling back to a known good state” a few minutes earlier than the intrusion.

Payments for a decryptor are more expensive than only paying to prevent disclosure. True – and that is because some folks won’t listen to good advice about protecting backups – they are in a crisis situation which the bad guys are happy to profit from.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225, Fairfax, VA 22030
Email:   Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson