Every year, BakerHostetler collects and analyzes various metrics about the incident response matters we handle. In 2022, we handled over 1,160 incidents. The most striking trends we saw across those incidents were an overall increase in the average ransom demands and payments, as well as an increase in recovery times in certain sectors. We also saw a decrease in all the metrics we track related to fraudulent fund transfers.


Between 2018 and 2020, we saw a huge increase in the average ransom that organizations were paying. As organizations became more attuned to the risk of ransomware and started putting additional security measures in place, we saw those figures drop in 2021. But in 2022, we saw the average ransom amount paid increase again, from $511,957 in 2021 to $600,688 in 2022.

Recovery times also increased – nearly doubling for some industries, like Healthcare and Retail, Restaurant, & Hospitality. The average amount of time from initial encryption to acceptable (not necessarily complete) restoration was two weeks or longer in four industries: Business & Professional Services; Retail, Restaurant & Hospitality; Government; and Non-Profit. In fact, the average number of days to acceptable restoration increased across every industry with the exception of Finance & insurance, for which it decreased from 12.8 days to 8.9 days.

In response to the ransomware “boom” leading up to 2022, many companies took measures to enhance their ability to prevent and detect such attacks and to recover from them. But it seems that those that didn’t are finding it harder to recover and are having to pay more for a decryption key as a result.

Additionally, companies acquiring other organizations are experiencing incidents involving their recent acquisitions before their security stack can be fully deployed to the acquisition’s systems. And even in cases where those acquisitions have security measures in place, they may not have been maintained over time or may have unknown configuration issues that make them vulnerable to attacks.

If your organization has not taken measures to be more resilient against network intrusions, do so now. If your organization has, but is actively acquiring other companies, make sure to have an acquisition and integration process that includes a clear roadmap to complete the integration process in a reasonable period of time, focusing on the most critical assets first.

Fraudulent Fund Transfers

In 2022, we saw a number of positive developments with respect to fraudulent fund transfers: the total dollar amount of fraudulent transfers was almost half what it was in 2021 ($27 million in 2022 compared to $48 million in 2021), and the average transfer amount was nearly $450,000 less ($294,137 in 2022 compared to $743,106 in 2021).

One statistic that may seem discouraging at first glance is the average amount recovered, which decreased by about $240,000 ($648,060 in 2022 compared to $890,135 in 2021). However, this decrease is likely correlated to the drop in the overall and average amounts transferred in the first place, reflecting a positive trend.

But a discouraging trend seen in 2022 was the drop in the percentage of matters where funds were recovered, from 42 percent of fraudulent fund transfer matters in 2021 to only 24 percent of those matters in 2022.

Last year, we provided tips for preventing fraudulent fund transfers which are still important today: 1) enforce multi-factor authentication (MFA) for remote access to online accounts and disable legacy authentication in your email tenant; 2) train employees to spot phishing emails and common fraudulent fund transfer schemes; and 3) establish written policies and procedures for authorization of changes to payment information.

If your company or a vendor does lose funds as a result of a fraudulent fund transfer, there are steps you can take to increase the likelihood of recovering some or all of those funds. The faster you identify and take measures to address a fraudulent fund transfer incident, the better your chance of recovery.