Companies “are starting to win the battle against ransomware,” according to an annual report from law firm BakerHostetler.
The report, now in its 11th year, said the firm’s Digital Assets and Data Management Practice Group handled more than 1,250 cyber incidents in 2025. They concluded that organizations are more resilient with better backup strategies. BakerHostetler said organizations rarely need to pay for a decryption key.
“We see fewer attacks and lower payments,” the report says. “After several chaotic years, ransomware is settling into the category of risk that still exists but for which there are known measures that should make an impactful attack less likely.”
The average ransom paid was $501,388 in 2024 (excluding one outsized ransom payment of $20 million), down 33% compared with $747,651 in 2023. Payment is made more often to prevent publication of stolen data rather than to get a decryptor. Thirty-six percent of ransomware or extortion victims paid the ransom last year.
BakerHostetler also reported a 30% drop in forensic investigation costs in 2024, marking a three-year low.
BakerHostetler said the healthcare industry was the most targeted in 2024, with 36% of incidents involving that sector—including biotech and pharmaceuticals. Network intrusion led all incident types at 47%, and the most common root cause of incidents was phishing—including spear phishing, vishing, and quishing (using QR codes).
“The industry supporting compromised entities has matured,” said Ted Kobus, chair of the group, in the report. “As a result, we see shorter dwell time, shorter time to containment, faster completion of forensic investigations, lower cost for forensic investigations, shorter time to restoration after ransomware deployment, and declining ransom payment amounts.
“The combined efforts of carriers, brokers, law firms, forensic firms, restoration firms, ransom negotiation and payment facilitation firms, and law enforcement have yielded positive results,” he said.
The report cited law enforcement with the takedown of individuals from some of the largest ransomware groups.
