BLOG

Between 2025 and early 2026, Halcyon tracked more than 200 ransomware incidents targeting the legal sector. The INC ransomware group claimed attacks against ten law firms within a single 48-hour window. Law firms rank as the fourth most targeted industry by ransomware actors in the first months of 2026, behind only critical infrastructure sectors. And nearly 30% of law firms have already experienced a security breach, according to the ABA Cybersecurity TechReport.

The reason is structural. Law firms are attractive targets due to the sensitivity of client data, regulatory pressure to resolve incidents quickly, and a perceived willingness to pay ransoms to protect attorney-client privilege and confidential case materials. Ransomware demands against professional services firms in 2025 and 2026 ranged from $500,000 to $21 million, with the average just under $2 million. For a small or mid-sized practice, a ransom demand of that scale, arriving alongside the threat to publish privileged client communications, creates pressure to pay that no other industry faces quite the same way.

This article explains why law firms face this specific threat profile, what breach readiness looks like for small practices with limited IT resources, and what controls actually reduce the probability and cost of an incident.

Why law firms face a unique threat profile

Three characteristics make law firms disproportionately attractive to ransomware actors, regardless of firm size:

The value of what they hold. Client files contain financial data, intellectual property, merger and acquisition details, litigation strategy, medical records, and confidential communications. This information has direct value to competitors, foreign intelligence services, and criminal extortion operations, independent of any ransom payment. Attackers who steal law firm data have multiple monetization paths available.

The time pressure built into legal practice. Ransomware actors time attacks to maximize pressure: before court deadlines, during trial, during deal closings, or at tax filing periods. A firm that loses access to its case management system three days before a major motion is due faces a different calculus than one whose billing system goes down on a Tuesday afternoon. Attackers know this and plan accordingly.

The privilege problem. Attorney-client privileged communications are the crown jewels of a law firm’s data. Modern ransomware groups do not just encrypt files, they exfiltrate data first and threaten to publish privileged communications if the ransom is not paid. Double extortion creates pressure that backups cannot resolve. Even if the firm restores from backup, the attacker still holds privileged materials that cannot be un-disclosed.

The ethical and regulatory obligations law firms carry after a breach

A cybersecurity incident at a law firm is not just an IT problem, it is an ethics problem that requires a structured cybersecurity assessment of risk, exposure, and compliance obligations. ABA Rule 1.6 requires lawyers to make reasonable efforts to prevent the unauthorized disclosure of client information. ABA guidance now explicitly defines what ‘reasonable’ cybersecurity looks like for lawyers, moving the standard from aspirational to enforceable. 22.4% of law firms do not currently meet Rule 1.6 standards based on self-reported data.

State bar associations and law societies add jurisdiction-specific obligations on top of ABA guidance. In the US, most state bars require breach notification to affected clients when confidential information has been compromised. In Canada, the Law Society of Ontario (LSO) and the Law Society of British Columbia (LSBC) have cybersecurity guidelines that define minimum security expectations and require firms to notify clients of breaches involving their information. Failure to meet these obligations creates disciplinary exposure independent of any regulatory fine.

Data privacy regulations add further notification obligations. In the US, state privacy laws in 19 states impose breach notification timelines ranging from 30 to 72 hours. At the federal level, the FTC Safeguards Rule applies to law firms that provide certain financial-adjacent services. In Canada, PIPEDA requires notification when a breach creates a real risk of significant harm to individuals, and law firm client data almost always meets that threshold.

What attackers do before the ransom note arrives

Understanding the attack sequence changes the readiness conversation. Ransomware at a law firm rarely begins with encryption. The typical 2026 attack proceeds as follows:

1. Initial access, most commonly through a phishing email targeting a staff member or attorney, a compromised credential, or exploitation of a vulnerability in a legal technology platform. Supply chain attacks targeting shared eDiscovery providers, cloud storage platforms, or document management vendors are an emerging vector — INC Ransom’s concentrated campaign against multiple law firms within 48 hours points to a possible shared technology provider breach.
2. Lateral movement, once inside, the attacker maps the network, identifies the most valuable data (privilege communications, client files, financial records), and moves toward domain controllers and administrative accounts. The median attacker dwell time before triggering ransomware is now 4 to 5 days.
3. Backup targeting, before deploying ransomware, sophisticated groups specifically seek out and compromise backup systems. 96% of ransomware attacks target backup repositories, and 76% succeed. A firm without isolated, tested backups has no recovery path that does not involve negotiation.
4. Data exfiltration, client files, email archives, and privileged communications are exfiltrated to attacker infrastructure. This is the foundation of double extortion: the attacker has leverage whether or not the firm has working backups.
5. Ransomware deployment, typically timed for maximum disruption: weekends, overnight, or immediately before a known deadline.

Breach readiness for small law practices: the practical framework

Breach readiness for a small practice does not require enterprise infrastructure, but it does require a documented cybersecurity strategy aligned with business and regulatory requirements. It requires the right controls, correctly configured, and a tested response capability. Here is the framework:

• Identity protection: MFA on every system that holds client data, email, document management, case management, billing, and remote access. Phishing-resistant MFA (FIDO2 or passkeys) for partners and administrators. Conditional Access policies that block sign-ins from unmanaged devices or high-risk locations.
• Email security: Microsoft Defender for Office 365 or equivalent, with anti-impersonation protection for partner names and firm domains, Safe Links and Safe Attachments, and attack simulation training for all staff. An average 25-attorney US firm receives 14 attempted partner impersonation emails per month, 11 are caught with proper Defender configuration, 3 reach the inbox without it.
• Endpoint detection and response: Behavioural EDR on every endpoint, replacing legacy antivirus, often supported through managed SOC services that provide continuous monitoring and threat detection. EDR detects the lateral movement and privilege escalation that precede ransomware deployment, standard antivirus detects only known malware signatures, which attackers modify to evade.
• Data classification and access controls: Client files should be classified by matter and accessible only to attorneys and staff working on that matter. Broad file share access is the single biggest blast radius amplifier in a law firm breach.
• Isolated, tested backups: Backups stored in a location not accessible from the primary network (air-gapped or immutable cloud storage). Tested for actual restoration quarterly. The firms that recover from ransomware without paying are overwhelmingly the ones with working, isolated backups.
• Documented incident response plan: Who to call, in what order, through what channel (out-of-band, since email may be compromised), with pre-drafted client notification templates and bar association reporting timelines documented.

What to do in the first hour of a law firm ransomware incident

6. Activate your incident response team through an out-of-band channel, not email, which may be compromised. A secure group chat on personal devices is the standard approach.
7. Isolate affected systems from the network without powering them off, disconnect network cables or disable WiFi, preserve volatile memory evidence.
8. Do not pay and do not announce, both actions can complicate law enforcement cooperation and insurer coordination. Contact legal counsel before any external communication.
9. Contact your incident response services provider or retainer immediately. The first 4 hours determine whether the incident is contained or catastrophic.
10. Notify your cyber insurer. Most policies require prompt notification, delayed notification can create grounds for coverage disputes.
11. Begin bar association and regulatory notification assessment with legal counsel. Notification timelines run from detection, not resolution.

Do small law firms really get targeted by ransomware groups?

Yes, and increasingly so. Halcyon tracked 200+ ransomware incidents in the legal sector between 2025 and early 2026. Ransomware-as-a-Service platforms make targeting small firms economically viable: the automation does the work, the affiliate takes a share of the ransom, and the economics are attractive because small firms have weaker defenses than enterprises. Ransom demands are calibrated to the size of the target, a 10-attorney firm receives a smaller demand than an Am Law 100 firm, but the demand is still typically more than the firm’s annual IT budget.

Does attorney-client privilege protect us from having to disclose a breach?

No, and this misconception can make things worse. Attorney-client privilege protects confidential legal communications between attorney and client from compelled disclosure in legal proceedings. It does not exempt law firms from breach notification obligations under state privacy laws, bar association rules, or data protection regulations. In fact, privilege considerations in a breach response must be carefully managed, forensic investigation reports conducted under legal privilege may be protectable, but the breach itself and the notification obligations it triggers are not.

Should a small law firm pay a ransomware demand?

The data argues strongly against it. 80% of organizations that pay ransoms are attacked again within 12 months. Only 4% of those who pay recover all their data. More importantly for law firms: paying does not guarantee that exfiltrated privileged communications will not be published or sold. Law enforcement, including the FBI and RCMP, advise against paying and have resources specifically to assist law firms with ransomware incidents. Engage law enforcement and legal counsel before making any payment decision.

What is the ABA’s current guidance on law firm cybersecurity?

ABA Formal Opinion 483 and subsequent guidance make clear that lawyers have duties of competence, confidentiality, and communication that extend to cybersecurity. Specifically: lawyers must keep client information secure using reasonable measures appropriate to the sensitivity of the information; lawyers must notify clients if a breach involves their confidential information; and the definition of ‘reasonable’ cybersecurity has become more specific as threats have evolved. State bar guidance adds jurisdiction-specific requirements, Canadian law societies in Ontario and BC have published detailed cybersecurity guidelines with minimum security expectations for member firms.