A takeover of Microsoft Office 365 accounts may be the first item on the to-do list of bad actors who have breached an organization's cybersecurity. Baker & Hostetler released its 2020 Data Security Incident Response Report on Thursday, indicating that ransomware is thriving with the help of stolen contact lists pilfered from underprotected accounts.

The report is based on information gleaned from 950 cyber incidents that Baker & Hostetler consulted on over the course of 2019. In 31% of the cases featured, bad actors initiated an Office 365 account takeover after the initial breach. Deployment of ransomware was the next most common step (24%), followed by the installation of malware (13%).

But why did an Office 365 takeover comprise the largest percentage of cases? Craig Hoffman, editor of the report and leader of Baker & Hostetler's digital risk advisory and cybersecurity team, said the additional contacts and email addresses stored inside an Office 365 account can provide hackers with their next targets for phishing or other schemes. But there's also the potential for immediate gratification as well.

"[Bad actors] run searches to look for invoices so they can trick people into wiring money out, and they are very effective at doing that. And then they sometimes sell off access to the account. … There are about 15 different flavors of what people do when they get access to your account," Hoffman said.

This could be of some concern to law firms or corporate legal environments, where Office 365 is often a popular choice. However, those accounts aren't low-hanging fruit if set up properly. Hoffman indicated that if multifactor authentication protocols are correctly installed, it would be very difficult for hackers to gain entry to accounts.

But even if Office 365 accounts are secured, ransomware doesn't seem like a preferable alternative for organizations to maneuver, especially as the number of dollar signs involved continues to increase. In the 2018 report, the average ransomware payment was $28,920, but that figure increased dramatically in 2019 to $302,539.

The sudden inflation could reflect the more aggressive tactics that purveyors of ransomware have begun to deploy. Hoffman pointed out that bad actors have typically used ransomware to cut an organization off from data in its system, with the access key held hostage. Now, hacker groups such as Maze are imposing additional pressure on victims by threatening to publish stolen data online.

The Texas-based firm of Baker Wotring experienced this firsthand last February after Maze hacked its "client site" and published such sensitive data as Health Insurance Portability and Accountability Act consent forms and fee agreements online. That same month, Maze also attacked three South Dakota law firms: Bangs McCullen; Lynn, Jackson, Shultz & Lebrun; and Costello Porter.

"We're seeing more groups steal data before they encrypt data," Hoffman said.

As for how organizations are faring in detecting ransomware and other intrusions, the report lists the average time that passes between the occurrence and discovery of an intrusion at around 90 days. The average number of days to contain a threat, however, increased from 10 days in 2018 to 14 days in 2019.

Both those numbers are more encouraging than statistics featured in a recent report by e-discovery provider Special Counsel, which placed the U.S. average for identifying a breach at 206 days, with the average containment time at 73 days. Still, confusion around figures such as these may be par for the course, since information technology personnel, for example, may view timelines differently than other members of an organization.

"What they don't account for is when their tools fail. A goalie is going to stop 99 out of 100 shots. In a security context, when they miss a shot and something gets past the goalie, it sits undetected for a long time," Hoffman said.