Threat Intelligence & Incident Response
Why ransomware operators target law firms specifically, how the attack chain works against a typical practice, what a real incident week looks like, and the controls that actually break the chain.
A practitioner note for managing partners, firm administrators, and the IT staff who keep mid-size law firms running. This is what incident data, cyber insurance underwriters, and leak sites actually show about the legal sector in 2025 and into 2026.
If you run or support a firm with fifteen to two hundred attorneys, you are inside the target zone. The Am Law 100 has the budgets to defend themselves. The two-attorney shop is not worth the operators' time. The middle is where the math works for the attacker, and the middle is where most American legal work gets done.
Ransomware operators are economically rational. Mid-size legal practices check almost every box.
The data is unusually valuable per gigabyte. A mid-size firm holds M&A documents, IP filings, litigation strategy, draft briefs, deposition transcripts, settlement agreements, and sealed records for hundreds of active matters. A single matter file can move a public company's stock. The operator does not need the entire firm — a few high-profile matters are enough leverage.
Downtime has hard deadlines attached. Court filings, statutes of limitations, discovery deadlines, trial dates, and closings do not pause because a firm is encrypted. Every day offline is malpractice exposure. Operators price accordingly.
Reputational pressure is severe. A leak-site disclosure with client names and matter excerpts is an existential event for a firm whose business is confidentiality. Operators count on that pressure to drive a fast payment.
Internal segmentation is weak. In most firms, email, the DMS, time and billing, and the file server share a flat or near-flat network. The same domain admin that manages workstations has rights inside the DMS console.
Budgets lag data sensitivity. A firm holding Fortune 500 deal data on a thirty-thousand-dollar-a-year IT budget is not unusual. Partners notice the bill, not the gap. That is where most of these incidents originate.
A recognizable rotation of crews has hit the sector. Akira has been particularly active against professional services and has named law firms on its leak site repeatedly. Black Basta has hit legal targets across North America. LockBit affiliates were active before the 2024 takedown, and rebranded affiliates continue the pattern. Hunters International, INC Ransom, Play, and BianLian have all named legal services victims, as has Royal, now rebranded as BlackSuit.
Several operate as ransomware-as-a-service: the affiliate hitting your firm is not the crew that wrote the encryptor. The playbooks are consistent, which is good news for defenders. The double-extortion pattern — exfiltrate first, encrypt second — is now standard. Assume any successful intrusion includes data theft.
It usually starts with a phishing email to a paralegal, legal assistant, or billing coordinator — not a partner. Support staff handle the inboxes that produce the most legitimate clicks: court notices, opposing counsel correspondence, vendor invoices, e-filing confirmations, DocuSign requests. The lures are tuned to that traffic.
The most effective lures in 2025 have been fake court notices, invoices, e-filing receipts, and voicemail notifications. The payload is a loader: historically Qakbot, then Pikabot, and more recently DarkGate, Latrodectus, and residual Qakbot variants. The loader's job is to phone home, establish persistence, and let the operator inside.
Within hours, the operator harvests credentials — LSASS memory, browser-saved passwords, cached Windows credentials, RDP histories. If a partner or IT generalist saved a privileged password in the browser, the next stage is trivial.
Lateral movement is mechanical. The operator pivots toward the DMS because the network is flat and the credentials work everywhere. Cobalt Strike is still the most common command-and-control beacon, with Sliver, Brute Ratel, and NetSupport RAT in heavy rotation.
Reconnaissance in a law firm is distinctive. The operator searches files for settlement, agreement, M&A, deposition, expert, sealed, confidential, NDA, and the firm's most public client names. They are not after every byte — they are after the right bytes.
Exfiltration follows, usually to Mega, an AWS S3 bucket under a stolen credit card, or a rented VPS. Volumes are tens to hundreds of gigabytes. Encryption happens last, almost always over a long weekend. By Monday morning, the DMS will not open and a ransom note is on every desktop with the firm's name and specific matter references already inside it.
NetDocuments, iManage Filesite, Clio, MyCase, ProLaw, PracticePanther — the product varies but the architecture does not. The DMS centralizes matter files: client communications, deposition transcripts, settlement agreements, sealed records, work product, draft briefs, expert reports, discovery productions.
Encrypt the DMS and you have encrypted the practice. Attorneys cannot open files. Paralegals cannot prepare filings. Billing cannot reconcile time to matters. Court deadlines come due against a frozen system. Cloud-hosted DMS platforms are not immune — the local sync cache, connector credentials, and workstation checkouts are all reachable from a compromised endpoint.
The DMS is the first target in reconnaissance and the last in encryption. The operator wants it intact long enough to exfiltrate, and unusable immediately after.
If you are reading this in the middle of an active incident:
Disconnect the network switch in the comm room. Not the WAN router — the switch. Pull every cable or power it off. Disconnecting only the internet still lets the malware finish encrypting your LAN.
Isolate every workstation. Do not power them off. Memory forensics matters. Lock screens, pull network cables, leave machines running.
Call your cyber insurance carrier first. Before the FBI, before the MSP. Your policy almost certainly requires the carrier's panel; engaging your own forensics firm first can invalidate coverage. The 24/7 hotline is on your policy.
Notify the managing partner and General Counsel. Smaller firms without in-house GC should have outside ethics counsel on retainer. ABA Model Rule 1.6 obligations begin running immediately.
Document everything on paper. Times, names, decisions, calls. The laptops are evidence.
Verify offsite backups exist and are unreachable from the compromised network. Do not connect to them. Call the backup vendor. If backups were on the same domain or used the same credentials, assume they are gone.
Do not pay, do not click links in the ransom note, do not negotiate. Breach counsel and the carrier's negotiator will handle that.
The first week is structured by the cyber insurance carrier, by ethics obligations, and by state breach notification law, in roughly that order.
A forensics firm engaged by the carrier will image affected systems, identify the entry point, determine the scope of exfiltration, and confirm whether the threat actor is still in the environment. Five to ten days for a mid-size firm. This is the input that drives every downstream decision.
Ethical notification under ABA Formal Opinion 483. Current clients whose information or matters were affected must be notified promptly with enough specificity to make informed decisions about the representation. A generic press release does not satisfy the duty. State bar interpretations vary; consult ethics counsel before letters go out.
Court deadlines. File continuance motions promptly with appropriate showing. Most courts have been accommodating where the firm communicated early and in good faith. Coordinate with opposing counsel and the clerk's office in the first 24 to 48 hours.
State data breach notification. Most states have 30 to 60 day clocks when personally identifiable information was exfiltrated. Breach counsel coordinates the filings.
Rebuild planning. Recovery is almost never a restore-in-place. It is a clean rebuild with new credentials and a verified-clean DMS restore from a backup point earlier than the initial intrusion.
Recovery is realistically seven to twenty-one days for full DMS restoration. Operational impact extends well beyond that, because matter backlog, client communication, and regulatory response continue for weeks.
Paying does not guarantee data return. The decryptor may be partial, slow, or broken. Exfiltrated data may be published or sold regardless. Several operators and affiliates are sanctioned by OFAC, including LockBit-related actors and certain North Korean affiliates — paying a sanctioned entity is a federal violation independent of operational pressure.
Cyber insurance carriers now require pre-approval before any payment, run OFAC screening on the operator, and exclude payments to sanctioned entities. The FBI's standing guidance is to not pay.
I align with that guidance. I have also sat across the table from managing partners whose backups failed and who paid because the alternative was the firm. The point: this decision is made with breach counsel and the carrier on the call — not at 9 p.m. on a Saturday alone with a countdown timer.
This is the section that matters. Everything above is what happens when nothing is in place. Here is what stops it.
Managed EDR on every endpoint and every server. Workstations, the DMS server, file servers, any on-prem hybrid Exchange box. Non-negotiable. For most of our legal-sector clients we deploy Huntress Managed EDR. The ransomware canary catches encryption behavior in sub-millisecond time and isolates the affected machine. More importantly, the loader stage — Pikabot, DarkGate, Latrodectus — gets caught and investigated by the SOC before lateral movement begins. See the Managed Detection and Response service page.
Managed ITDR on Microsoft 365 or Google Workspace. Identity threat detection catches the account takeover, the malicious inbox rules attackers use to hide their tracks, and the BEC that often precedes a ransomware event by weeks. Most firms we onboard already had at least one compromised mailbox they did not know about. Details on the Managed ITDR service page.
MFA on every DMS admin account, no exceptions. App-based or hardware token, not SMS. If MFA is on the admin account, credentials harvested from a paralegal's browser do not work for privilege escalation.
Immutable offsite backups following the 3-2-1-1-0 rule. Three copies, two media types, one offsite, one immutable or air-gapped, zero errors on the last verified restore. Tested quarterly. A backup you have never restored is a wish.
Least privilege on the DMS service account. The SQL service account does not need to be a domain admin. The DMS administrator user does not need local admin on every workstation.
Network segmentation between the front office and the DMS server. Guest wifi, conference room AV, and the staff network should not share the same VLAN, and none of them should reach the DMS server directly.
Managed security awareness training tuned to legal phishing themes. Generic training is checked once a year and forgotten. Training tuned to court notices, e-filing receipts, opposing counsel impersonations, and vendor invoice fraud reduces the click rate on the lures that actually land. See the Managed Security Awareness Training service page.
A documented incident response plan and a policy you have actually read. Both are addressed on the cyber insurance readiness page.
Most mid-size firms use a generalist MSP. That MSP often holds DMS admin or domain admin credentials shared across multiple law firm clients, accesses the firm's network through a remote management platform — ConnectWise ScreenConnect, N-able, Datto RMM, Kaseya, Atera — and may use the same password pattern at three other firms in the same metro.
If the MSP gets popped, every firm they service is on the table simultaneously. This pattern has been documented in publicly disclosed mass-impact events against legal services over the last two years.
This is not an indictment of every MSP. It is a structural reality. Your MSP's security posture is functionally your firm's security posture. Ask whether they have MFA on their RMM, EDR on every technician laptop, a credential vault that is not a spreadsheet, and per-client credentials for privileged access.
If the answers are uncomfortable, that is information. The security layer needs to be operated independently of the IT layer — the model we run on the law firms industry page.
Three things, in this order.
Read your cyber insurance policy end to end, especially the required-controls section and the incident response panel. If your current controls do not match the policy, fix that gap before you need to file a claim. A denied claim after an incident is worse than no policy at all.
Audit who has administrative access to the DMS, the Microsoft 365 or Google Workspace tenant, the backup system, and the firm's domain. Remove anyone who should not be there. Confirm phishing-resistant MFA on everyone who remains. Include your MSP — the shared credentials are usually where the surprise lives.
Schedule a backup restore test of the DMS database to a non-production environment, performed by your IT provider, witnessed by a partner, with written confirmation that the restored database opened cleanly. If your provider cannot or will not perform that test, you have your answer.
If you want a practitioner's read on where your firm actually stands, that is what we do. Start at the cyber insurance readiness page or the law firms industry page.
Attackers do not need your firm to be unprepared. They need it to be more unprepared than the one down the street. Closing that gap is achievable, and the controls that close it are not exotic — they are operational discipline applied consistently, by someone whose job it actually is.
Last updated
May 14, 2026. We refresh this content as the threat landscape and tools evolve.
FAQ
Law firms hold concentrated high-value confidential data — M&A deal documents, intellectual property, litigation strategy, sealed records, settlement terms — across a client base that often includes public companies and high-net-worth individuals. Downtime is unusually expensive because court deadlines and statutes of limitations do not pause for an incident. The combination of sensitive data, hard deadlines, strong reputational incentive to resolve quickly, and IT budgets that lag the sensitivity of the information has made the legal sector one of the most consistently targeted professional service categories in 2024 and 2025.
Disconnect the network switch in the communications room — not just the WAN. Isolate every workstation but do not power them off; memory forensics matters. Call your cyber insurance carrier before anyone else, including before you read the ransom note, because the policy almost certainly requires their panel of incident response and breach counsel. Notify the managing partner and the firm's General Counsel or outside ethics counsel. Document everything in a paper notebook — your laptops are evidence. Verify that offsite backups still exist and are not reachable from the compromised network.
No. The FBI's standing guidance is to not pay. Paying does not guarantee data return or that the exfiltrated data will not be sold or published anyway. OFAC sanctions apply to several operators and affiliates — paying a sanctioned entity is a federal violation. Cyber insurance carriers now require pre-approval before any ransom payment, and many policies exclude payments to sanctioned entities entirely. Some firms have paid despite the guidance, with mixed results. The decision should be made with breach counsel and the carrier on the call, not at midnight in a panic.
ABA Formal Opinion 483 directly addresses lawyers' obligations after a data breach. Under Model Rule 1.6(c), lawyers must make reasonable efforts to prevent unauthorized access to client information, and after an incident they must promptly notify affected current clients with enough detail for the client to make informed decisions about the representation. Former clients are governed by a separate analysis under Model Rule 1.9. State bar interpretations vary, so consulting ethics counsel early in the incident is part of meeting the duty.
Often yes, but only if the firm meets the policy's required controls. Insurers now require MFA on privileged accounts, MDR or EDR on all endpoints including the document management server, tested offsite backups, and email security controls. If those controls were not in place at the time of the incident, the claim can be denied or reduced. Coverage limits for legal sector policies have tightened, and most carriers require pre-approval before any ransom or extortion payment.
Seven to twenty-one days for a full document management system restore from offsite backup, assuming backups are intact and tested. Court deadline impact, client notification, regulatory response, and ethics consultation extend the operational impact much longer. Firms with tested immutable backups, MDR coverage, and an incident response retainer in place are usually on the shorter end. Firms whose backup vendor was also encrypted are on the longer end, sometimes much longer.
Courts generally grant continuances and extensions when a firm promptly files an appropriately documented motion citing the incident. The key word is promptly. Judges have been broadly accommodating where the firm acted in good faith and communicated early; they have been less accommodating where the firm went quiet for weeks. Coordinating with opposing counsel and the clerk's office in the first 24 to 48 hours, while breach counsel handles the regulatory side, is the practical path.
Under ABA Formal Opinion 483, current clients whose matters or information were affected must be notified promptly with enough specificity that they can make informed decisions about the representation and protect their own interests. In parallel, state data breach notification laws — which typically have 30 to 60 day clocks — apply to any personally identifiable information that was exfiltrated. Breach counsel drafts the notification letters and coordinates the regulatory filings. The firm's communication to clients is separate from, and usually precedes, the formal state notification.
Related reading
How BEC and wire fraud actually unfold in a dental practice — the supplier-impersonation pattern, the inbox-rule trick, the controls that catch it, and what to do in the first 4 hours.
Read articleWhy ransomware operators target dental practices, how attacks land on Dentrix and Eaglesoft, what a real incident week looks like, and the controls that actually break the chain.
Read articleHow BEC and closing-wire-fraud actually unfold in a law firm — the impersonation pattern, the inbox-rule trick, the controls that catch it, and what to do in the first four hours.
Read article