There has been a significant increase in the number of cyber attacks impacting the legal industry over the past few years, most notably including business email compromises and ransomware.
From sole practitioners to large multi-national law firms, legal professionals continue to be a major target for cybercriminals. In this article, we explore the emerging ways in which the cybercriminals’ methods are evolving.
Targeting junior lawyers
Kennedys’ cyber team has been supporting a growing number of firms taken offline by the same ransomware tactic which, once an initial point of entry has been established, allows (theoretical) access to a firm’s entire IT system. This emerging threat is incredibly simple, yet devastatingly effective.
Certain cybercriminals will act as ‘initial access brokers’, securing unauthorised access to a victim’s systems, before then selling that access on to ransomware groups. One such cyber broking group appears to be focussing exclusively on the legal industry.
By injecting malicious code into documents titled (for example) ‘Template Confidentiality Agreement’, these cyber brokers are coaxing unexpecting and typically inexperienced lawyers into downloading such code when searching for (and clicking on) precedents online. Once the malicious code has been downloaded, initial access can be gained to that lawyer’s desktop, before then moving laterally to the wider IT environment within the legal firm.
Without early detection, wholesale encryption of systems and exfiltration of sensitive data will often follow, with first awareness of the attack being at the point of IT disruption and (typically) identification of a ransom note demanding payment.
Third party file sharing platforms
Transferring sensitive data with clients, with the court, or between solicitors and counsel and other experts, can be a common day occurrence for many lawyers. Doing so securely is essential, not just because of contractual requirements to keep data safe, but also because of regulatory requirements to do so.
In recent months there have been a growing number of high profile cyber attacks against the providers of file transfer platforms, including MoveIt (see our article, When cyber criminals decide to MOVEit, MOVEit: Legal implications and remediation steps required) and more recently, Cleo. As with the first trend detailed above, there is a particular ransomware group focussing on supply chain attacks, making it very likely that other such file transfer platforms are being actively targeted.
Whilst the software providers have been the primary victim of such cyber attacks, those using the platforms to transfer data have subsequently become secondary victims, with data being exfiltrated from users’ accounts, before then each being held to ransom to prevent publication of the extracted data online.
The increasing use of AI by cybercriminals
In our recent article, The evolving ways in which cybercriminals are leveraging AI in early 2025, Kennedys’ cyber team reported on an emerging risk we have identified concerning the exploitation of Microsoft teams by cybercriminals, together with evolving AI techniques.
In short, cybercriminals are spamming employees with deliberately suspicious looking emails before then masquerading as someone from the target organisation’s IT team in order to coax the concerned employee into granting remote access to their desktop. Our prediction is that such cybercriminals will increasingly use ‘deepfake’ audio, and even video, to further convince their victims.
Given we know cybercriminals target the legal industry due to a perception of ‘deep pockets’, the increasing use of AI and particularly deepfake technology as a form of advanced social engineering is something for all legal professionals to be aware of, with employee training being essential.
For those specialising in high profile litigation, or perhaps transactional work, we consider it very possible that cybercriminals will start to leverage AI to create ‘smoking gun’ style documents with which they seek to hold legal professionals to ransom in order to prevent publication to the press - even if the document is fake. This is something we have seen in other industries already, with cybercriminals claiming the document (typically a compromising image) was taken from the victim’s systems following a cyber attack.
How to mitigate the risk of a cyber attack
Aside from implementing appropriate technical and organisational measures to ensure a level of IT security appropriate to the risk, awareness that humans are often the ‘weakest link’ is imperative.
For each of the risks above, up to date employee training and clear acceptable use policies can help to mitigate the risk of a cyber attack, but in the event an incident does occur, effective breach response planning can allow for early detection and containment.
In addition to effective planning, immediate access to experts can often make the difference between short term disruption and long term outages, resulting in very significant operational issues and often third party claims.