Law in the crosshairs and why ransomware gangs are now targeting 'low-hanging fruit' firms

For law firms big and small, the possibility of a cyber-attack is always looming on the horizon. Dr Ilia Kolochenko looks as the current state of cybersecurity in the legal world, and highlights the key factors to consider when it comes to protecting your firm and your clients.

According to a report by the UK National Cyber Security Centre, legal professionals and law firms face numerous foes in cyberspace: situational cybercriminals mostly motivated by money; proficient hackers backed by nation states and organised crime; hacktivists inspired by political ideas; and malicious insiders driven by money or revenge.

Despite the Law Society of Scotland’s excellent guide on cybersecurity, high-profile data breaches continue to happen with unenviable frequency. The now-unfolding domino effect of May’s disastrous data breach of the Legal Aid Agency has caused devastating consequences for hundreds of solicitors and barristers in England and Wales, illustrating the gravity and multifaced consequences of data breaches in 2025.

Alarmingly, cyber-attacks against British law firms surged by 77% last year. This number is, however, just the tip of a formidable cybercrime iceberg: many cyber intrusions are never detected by the victims due to their technical sophistication or stealthy nature. Other incidents are simply never publicly disclosed or reported by breached law firms over the reputational concerns.

In the meantime, a recent alert by the FBI’s Internet Crime Complaint Center (IC3) points out that sophisticated ransomware gangs start consciously targeting law firms, considering them a low-hanging fruit prey capable of paying a decent ransom, often without reporting the incident to underfunded and understaffed law enforcement agencies.

Recognising the risk

In 2025, some legal professionals and even large law firms still significantly underestimate both the probability and impact of cyber-attacks. Small law firms commonly believe that if they have no large corporations or celebrity clients, no cybercriminals will ever go after them, instead focusing on the Magic Circle law firms and other high-profile victims. This erroneous assumption has already cost numerous law firms considerable financial and reputational losses in addition to regulatory fines by the UK Information Commissioner's Office.

The grim truth is that when a law firm – however big or small – has all its computers and laptops blocked by a ransomware attack, the entire transactional and litigation workflows will abruptly stop, including the most urgent cases and looming deadlines. Under such extreme and unexpected pressure, many legal executives will readily decide to pay a fraction of bitcoin to get back to work, while larger firms may even pay a six-digit ransom to avoid the inglorious downfall.

Paradigmatically, even if the ban on ransom payment proposed by the UK government in July comes into effect, it is unlikely to cause a tectonic shift in the industry. After pondering the risks, a discreet payment of ransom via a foreign-based cybersecurity consultancy might seem a much better option compared to bankruptcy or long-lasting reputational damage and spiralling financial losses.

Know your enemy

Importantly, ransomware actors have clear motivation by profit and comparatively unsophisticated hacking techniques, including phishing, password reuse and social engineering, and exploitation of known vulnerabilities in law firms’ websites, email servers and interconnected IT systems.

Cyber gangs backed by organised crime or nation states are tremendously more skilled and dangerous. They rarely, if ever, demand ransom but rather go after highly confidential information entrusted to law firms by large corporations, celebrities or politically exposed persons. Worse, sophisticated cyber gangs predominantly take precautions to avoid detection and utilise smart techniques to conceal or wipe out any digital traces of their presence in victims’ networks. This is why sophisticated data breaches often remain undetected and unreported.

In addition to opportunistic and large-scale ransomware campaigns, and laser-focused and intelligent cyber operations backed by criminal conglomerates, law firms should be aware of possible misuse of their own IT infrastructure for fraud and computer-enabled crime.

For instance, after being hacked and backdoored, a law firm’s email server may be exploited to send forged emails proposing a settlement for an alleged infringement of intellectual property rights. The unsuspecting victims will usually get an email from a non-existent lawyer, but from a legitimate domain name belonging to a real law firm. Sometimes, the identity of a well-known lawyer may also be stolen to boost the scam’s credibility when the victim searches online for that lawyer’s name. In this case, an email address, similar to a legitimate one, is created on a compromised email server to impersonate the lawyer.

Real-life example

On one occasion, I witnessed a particularly well-thought-out impersonation campaign targeting a UK-based law firm. First, attackers obtained and then used the law firm’s corporate email signature in a forged email, impersonating a real lawyer at that firm. The email also contained a direct phone number for the lawyer. When the victim called that number, a person with an impeccable Oxbridge accent answered and provided a credible explanation of the claim and suggested the next steps to quickly settle the case.

Moreover, because the phone number had an area code from the same area where the breached law firm’s main office was located, the discussion did not trigger any suspicion. As discovered later, the phone number was just a temporary landline rented for a week by cybercriminals for minimal cost.

Unsurprisingly, many victims will readily pay several hundred pounds to quickly ‘settle’ a ‘case’ and to avoid the risk of much higher claims or even threats of criminal prosecution, eloquently formulated by cybercriminals. To make things even worse, the widespread availability of generative artificial intelligence (GenAI) streamlines and accelerates creation of trustworthy-looking but fake content, artfully impersonating lawyers and law firms.

The impact of GenAI

As to GenAI cyber threats, in 2025, a growing number of legal professionals worry about the new generation of risks posed by novel capacities of GenAI tools. The booming media hype and the waterfall of scaremongering press releases by cybersecurity vendors about the alleged omnipotence of GenAI bolster the fear of uncertainty.

While the impact of GenAI on the amplitude and effectiveness of phishing or impersonation attacks – including fake voice and video content creation – should not be discounted, modern GenAI brings little value to sophisticated cyber gangs. In its current state – even after the pompously introduced OpenAI GPT-5 model – GenAI is still extremely far from inventing truly novel cyber-attacks or even creating previously unseen vulnerability exploitation techniques, let alone outsmarting skilled cybercriminals.

Having said this, law firms should pay attention to and scrutinise all incoming communications, including emails with any attached copies of documents, incoming phone messages or even live phone calls, as these could be a deepfake. I recently dealt with a case when deepfake documents were printed on high-quality paper and wrapped in an expensive envelope before being mailed by postal carrier, evidently aimed at enhancing the credibility of the forgery.

Three strikes

Third parties, such as IT consultants, suppliers or accountants, certainly deserve a dedicated mention in the current cybersecurity landscape. Last year, 30 of 100 data breaches involved compromised third parties that had access to confidential data, including copies or even remote backups. Law firms should conduct due diligence on any external entities that have access to their confidential information to ascertain that technical, administrative and operational security controls are adequately implemented.

Asking for ISO 27001 or Cyber Essentials Plus certificates from third parties is a good starting point, as well as reviewing their data protection and privacy policies relevant to your business relationship.

In addition to boilerplate contractual clauses relating to data protection, liability and indemnification, it never hurts to ask your suppliers and consultants to provide a copy of their insurance that would cover both external and internal security incidents.

On top of third-party risk management, legal professionals and law firms should consistently follow foundational cybersecurity best practices to reduce their exposure to data breaches and digital fraud, as briefly elaborated below.  

Best practice guidance

First, a data minimisation policy should be enforced across the entire law firm: all obsolete data that is not needed anymore for business, and is not required to be preserved by law, should be securely deleted from all computer systems, mobile devices, cloud storage, backups and third-party web applications. Even the most skilled hackers cannot steal information that does not exist. Moreover, firm-wide data minimisation will greatly help to comply with the UK GDPR requirements and other applicable privacy laws and regulations.

Second, even small law firms should have a comprehensive and up-to-date inventory of their hardware, software, data and users. All systems, including mobile devices and smart watches, must be continually updated to ensure that the most recent software and firmware are used everywhere. Inactive user accounts must be timely deleted, while access permissions of active users should be continually monitored for relevance: as soon as a user no longer needs to access a specific application or document, their access rights should be adjusted accordingly. All operations with business-critical data – for example, confidential clients’ data – must be logged and continually monitored for anomalies.

Third, anti-malware software should be installed on all devices and servers to detect and neutralise common cyber threats before they cause harm. An incremental backup of all business-critical data must be securely stored in an isolated remote environment: even if ransomware manages to penetrate your network and encrypt your data, you will be able to recover it without paying cryptocurrency to racketeers.

Wireless networks should have strong encryption and unguessable passwords. Likewise, multi-factor authentication (MFA) should be enabled on all online accounts, which should use unique and strong passwords. It is also pivotal to ensure that everybody in your law firm understands the importance of data protection and continually follows cybersecurity training.

In conclusion, one has to admit that the cyber threat landscape is becoming increasingly more dangerous and complex in 2025. Having said this, legal professionals should undertake simple but efficient precautionary measures, such as those concisely described above, to stay on top of the most frequent risks. A final thought: rumours about the invincible GenAI hacking threat are grossly exaggerated, to put it mildly. 

Written by Dr Ilia Kolochenko, a Swiss cybersecurity and cybercrime investigations expert, and a lawyer. A Fellow at the European Law Institute and the British Computer Society, Ilia has a PhD in computer science, an LLM in information technology law from Edinburgh Law School, and an LLM in cyber, intelligence and national security law from Antonin Scalia Law School, George Mason University, Virginia.