Rankiteo Logo
Rankiteo
Leader in Cyber Underwriting
Loading...
NEWRankiteo Cyber Underwriting Desktop - Score, price, and bind from your desktop
WindowsmacOSLinux
Download
Analyze » BakerHostetler » BAK1774931036

Incident Score: Analysis & Impact (BAK1774931036)

The details regarding individual company incidents & reports gives you full view from every side.

Rankiteo Score Impact Analysis

Rankiteo Incident Impact-213
Company Score Before Incident716 / 1000
Company Score After Incident503 / 1000
INCIDENT NUMBERBAK1774931036
Type of Cyber IncidentRansomware
ATTACK VECTORPhishing, Third-party vendors, Outdated/insufficient EDR systems
DATA EXPOSEDSensitive client data
INCIDENT DATE26/03/2026
STATUSpublished

Key Highlights From The Incident Analysis

  • Timeline of BakerHostetler's Ransomware and lateral movement inside company's environment.
  • Overview of affected data sets, including SSNs and PHI, and why they materially increase incident severity.
  • How Rankiteo’s incident engine converts technical details into a normalized incident score.
  • How this cyber incident impacts BakerHostetler Rankiteo cyber scoring and cyber rating.
  • Rankiteo’s MITRE ATT&CK correlation analysis for this incident, with associated confidence level.

Full Incident Analysis Transcript

In this Rankiteo incident briefing, we review the BakerHostetler breach identified under incident ID BAK1774931036.

The analysis begins with a detailed overview of BakerHostetler's information like the linkedin page: https://www.linkedin.com/company/bakerhostetler, the number of followers: 28963, the industry type: Law Practice and the number of employees: 2266 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 716 and after the incident was 503 with a difference of -213 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on BakerHostetler and their customers.

On 26 March 2026, a cybersecurity incident called "Ransomware Attacks on Law Firms Surge in 2025, Fueled by AI and Sophisticated Tactics" came to light.

BakerHostetler’s 2026 Data Security Incident Response (DSIR) Report reveals a sharp escalation in ransomware attacks targeting law firms in 2025, with incidents nearly doubling over the previous year.

The disruption is felt across the environment, and exposing Sensitive client data, plus an estimated financial loss of $15 million (wire fraud alone, 27% recovered).

Formal response steps have not been shared publicly yet.

The case underscores how teams are taking away lessons such as Law firms face heightened risks of data breaches, contractual violations, and ethical repercussions due to sophisticated ransomware tactics. AI exploitation and 'Shadow AI' tools create new vulnerabilities. Law enforcement lags behind cybercriminals, necessitating independent defense bolstering.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

MITRE ATT&CK® Correlation Analysis

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Phishing (T1566) with high confidence (90%), supported by evidence indicating phishing remained the leading entry point (nearly one-third of breaches), Supply Chain Compromise (T1195) with moderate to high confidence (80%), supported by evidence indicating 25% involved third-party vendors, and Exploit Public-Facing Application (T1190) with moderate to high confidence (70%), supported by evidence indicating outdated or insufficient endpoint detection and response (EDR) systems. Under the Execution tactic, the analysis identified User Execution (T1204) with moderate to high confidence (80%), supported by evidence indicating attackers employed social engineering with direct calls to attorneys and Command and Scripting Interpreter (T1059) with moderate confidence (60%), supported by evidence indicating aI leveraged to accelerate attacks (implied scripting/automation). Under the Credential Access tactic, the analysis identified Adversary-in-the-Middle (T1557) with moderate to high confidence (70%), supported by evidence indicating email hijacking to expand phishing operations and Brute Force (T1110) with moderate confidence (50%), supported by evidence indicating social engineering impersonating IT staff (likely credential harvesting). Under the Discovery tactic, the analysis identified Account Discovery (T1087) with moderate to high confidence (70%), supported by evidence indicating sensitive client data targeted (implies discovery of high-value accounts). Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (90%), supported by evidence indicating data exfiltration for blackmail; sensitive client data compromised and Email Collection (T1114) with moderate to high confidence (80%), supported by evidence indicating email hijacking to expand phishing operations. Under the Command and Control tactic, the analysis identified Application Layer Protocol (T1071) with moderate to high confidence (70%), supported by evidence indicating ransomware operations imply C2 channels for exfiltration/encryption. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with high confidence (90%), supported by evidence indicating data exfiltration for blackmail; wire fraud siphoned $15 million. Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with high confidence (90%), supported by evidence indicating encryption to lock victims out; ransomware strain confirmed and Defacement (T1491) with moderate confidence (50%), supported by evidence indicating extortion and blackmail imply reputational impact. Under the Defense Evasion tactic, the analysis identified Impair Defenses: Disable or Modify Tools (T1562.001) with moderate to high confidence (80%), supported by evidence indicating outdated/insufficient EDR systems accounted for 21% of intrusions and Masquerading (T1036) with moderate to high confidence (70%), supported by evidence indicating impersonating IT staff to gain access. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.

Initial Access
Phishing (90%)
Supply Chain Compromise (80%)
Exploit Public-Facing Application (70%)
Execution
User Execution (80%)
Command and Scripting Interpreter (60%)
Credential Access
Adversary-in-the-Middle (70%)
Brute Force (50%)
Discovery
Account Discovery (70%)
Collection
Data from Local System (90%)
Email Collection (80%)
Command and Control
Application Layer Protocol (70%)
Exfiltration
Exfiltration Over C2 Channel (90%)
Impact
Data Encrypted for Impact (90%)
Defacement (50%)
Defense Evasion
Impair Defenses: Disable or Modify Tools (80%)
Masquerading (70%)

Sources & References