Why law firms are prime targets in 2025 & beyond

Pound for pound, law firms are one of the most attractive targets on the internet — and most of them have no idea. It isn’t about size. It’s about what a firm holds and how it operates: a dense concentration of high-value, confidential data, sitting on deadline-driven workflows, often defended by a small IT team stretched thin. To an attacker running the numbers, that’s a near-perfect target.

The data backs it up — and it’s getting worse every year. Here’s what’s actually happening, who’s behind it, and the controls that move the needle.

What the data says

• The FBI’s 2024 Internet Crime Report logged a record $16.6 billion in cybercrime losses. The top complaint categories — phishing/spoofing, extortion, and personal-data breaches — are all common entry points into law firms.
• In the UK, successful cyberattacks on law firms jumped 77% year-over-year (538 → 954) — part of a global trend that hits firms of every size.
• “Legal & Professional Services” ranked 6th among all sectors for publicly reported ransomware and data-leak attacks in 2024 (roughly 400 organizations), behind only a handful of much larger industries.
• Business Email Compromise (BEC) remains one of the single highest-loss categories reported to the FBI — on the order of $8.5 billion lost over three years.

This isn’t hypothetical

The headlines from the last few years read like a warning shot aimed straight at the legal sector:

• MOVEit (Cl0p). The 2023 mass-exploitation of the MOVEit file-transfer tool hit hundreds of organizations, including Kirkland & Ellis — now tied to class-action litigation over the incident.
• Allen & Overy. The ransomware group LockBit claimed responsibility for a 2023 data incident affecting the firm’s systems and data.
• Silent Ransom Group (SRG). In 2025 the FBI/IC3 warned that SRG has consistently targeted U.S. law firms since spring 2023, specifically for data-theft extortion.

The real threats hitting law firms

Five attack patterns account for the overwhelming majority of the damage. Here’s how each one lands — and why firms are uniquely exposed to it.

1. Ransomware & double/triple extortion

How it lands: phishing leads to credential theft or MFA fatigue; unpatched edge services and stolen VPN/RDP credentials get attackers in; exploits in widely used file-transfer and collaboration software do the rest. Operators steal client data and encrypt systems, then threaten to leak. Why firms: legal data is high-value and firms are deadline-driven, which makes extortion leverage brutal. For scale — leak-site activity hit roughly 5,939 posts in 2024 across about 75 active groups, with a median ransom near $200k in Q3 2024.

2. Business Email Compromise & Vendor Email Compromise

How it lands: social engineering and MFA push-fatigue, OAuth app abuse, malicious mailbox rules, and thread-hijacking — all aimed at diverting wire transfers, settlement funds, or client retainers. Why firms: trust relationships and escrow/settlement workflows are exactly the kind of money movement BEC is built to hijack.

3. Supply-chain & third-party risk

How it lands: zero-days in common platforms (the MOVEit CVE-2023-34362 mass-exploitation is the textbook case), vendor breaches, and malicious updates. Why firms: e-discovery tools, file-transfer platforms, and plug-ins mean a single vendor compromise can expose many firms at once.

4. Unpatched systems & edge misconfigurations

How it lands: known-vulnerability exploitation of Citrix, ScreenConnect, and SSL-VPN appliances; weak auth on remote access; stale SSO scopes. Why firms: roughly one-third of ransomware starts with an unpatched system — and small legal IT teams struggle to keep a tight patch cadence.

5. Data exfiltration from cloud & collaboration suites

How it lands: mis-scoped sharing, token theft, legacy IMAP/POP, weak DLP, and no tenant-to-tenant restrictions with counterparties. Why firms: matters-in-flight, M&A documents, and PII/PHI are easy to monetize — and increasingly, attackers skip encryption entirely and go straight to data theft, because the leak threat alone is enough leverage.

More and more, attackers don’t even bother encrypting. They just take the data — because for a law firm, the threat of disclosure is the whole game.

The actors targeting SMB law firms

Precise per-sector victim counts are rarely published, so treat this as a ranked proxy — weighted by overall 2024–2025 activity plus documented law-firm targeting, not raw counts.

• LockBit — prolific ransomware-as-a-service; linked to the Allen & Overy incident; consistently among the most active.
• Black Basta — one of the most active groups of 2024, with frequent hits on professional services.
• Cl0p — supply-chain specialist behind the MOVEit mass breaches that touched many firms.
• ALPHV/BlackCat — high-impact extortion, active through 2023–2024 despite law-enforcement disruption.
• Akira — rapid rise against small and mid-size firms using data-theft extortion.
• BianLian — known for exfiltration-only pressure tactics against professional services.
• Play — steady leak-site presence across mid-market organizations.
• Medusa — flagged by the FBI/CISA in 2025 for hundreds of victims, overlapping with firms’ vendor ecosystems.
• 8Base — surged in 2023–2024 against SMBs with noisy leak-site operations.
• Silent Ransom Group (SRG) — singled out by the FBI/IC3 specifically for targeting U.S. law firms since 2023.

Controls that actually move the needle

The good news: the same handful of controls neutralize most of this. Mapped to the threats above:

• Ransomware & data theft: EDR + MDR, phishing-resistant MFA (FIDO2/passkeys), close exposed RDP/VPN, a 7–14 day patch window on edge services, hardened Microsoft 365 / Entra ID baselines, and immutable backups you’ve actually restore-tested.
• BEC / VEC: Conditional Access with impossible-travel and token-anomaly detection, block legacy auth, monitor for malicious mailbox rules, require out-of-band verification on any payment change, and enforce DKIM/DMARC.
• Supply chain: real vendor-risk reviews, patch SLAs for file-transfer tools, isolation of high-risk third-party connections, and DLP/CASB on client and matter repositories.
• Cloud data-leak prevention: tighten Microsoft 365 / Google Workspace sharing scopes, apply client-matter DLP policies, use label-based encryption, and restrict external tenants.

Where 0x3 comes in

Reading a threat list is one thing. Knowing which of these doors is actually open at your firm is another — and that’s the part a checklist can’t answer. We attack your firm the way these groups would: external and internal penetration testing to find the exploitable path, BEC and email/domain hardening to shut down the wire-fraud vector, and 24/7 managed detection and response so an intrusion gets caught in minutes, not months. Then we hand you a prioritized, plain-English plan — the same evidence your malpractice carrier and clients increasingly expect.

If your firm hasn’t been tested by someone on your side, it’s being tested by someone who isn’t.

Sources

FBI Internet Crime Complaint Center (IC3) — 2024 Internet Crime Report & 2025 advisories; The Law Society Gazette (UK attack figures); QBE sector report (Legal & Professional Services ranking); Rapid7 2024 ransomware review; Coveware and Palo Alto Unit 42 (extortion trends and actor profiles); Reuters (MOVEit / Kirkland litigation; LockBit at Allen & Overy); Infosecurity Magazine (top active ransomware groups).