Cybercriminals are rapidly advancing their tactics, and law firms are increasingly being targeted. The first half of 2025 has seen a sharp rise in sophisticated attacks that compromise cloud infrastructure, exploit legal grey areas, and apply psychological pressure during extortion. For legal practices, the risks are significant, ranging from the loss of sensitive client data to reputational damage and regulatory consequences. Quorum Cyber’s Relentless Threats: 2025 Mid-Year Global Cyber Risk Outlook offers a strategic lens into how attackers operate and what defenders must do to stay ahead.   

Why law firms are prime targets  

Legal organisations hold a wealth of sensitive information, from intellectual property and financial records to confidential client communications. They often serve as intermediaries in high-value transactions, making them attractive targets for ransomware and data theft.  

While many law firms have made strides in strengthening their cyber defences, the sector remains a high-value target for increasingly sophisticated threat actors. The combination of sensitive client data, complex regulatory obligations, and growing reliance on cloud infrastructure presents unique challenges. Security leaders in legal practices must navigate a threat landscape shaped by professionalised cybercrime operations, where attackers exploit both technical vulnerabilities and legal ambiguity to maximise impact.  

Key threats shaping the legal sector’s risk landscape  

1. Cloud-Native Ransomware: Codefinger 

In January 2025, Quorum Cyber identified Codefinger, a ransomware group exploiting Amazon Web Services (AWS) features to encrypt cloud-stored data. By abusing Server-Side Encryption with Customer-Provided Keys (SSE-C), Codefinger rendered data irrecoverable without the ransom key.  

This marks a shift from endpoint encryption to cloud-native extortion, targeting infrastructure that law firms increasingly rely on. The use of legitimate cloud APIs for malicious purposes underscores the need for strong cloud key management and encryption policy monitoring.  

2. Resilient Infostealers: Acreed 

Following the takedown of the Lumma stealer, a new variant called Acreed surged in popularity on Russian cybercrime forums. Acreed targets browser-stored credentials, cryptocurrency wallets, and payment data, assets frequently accessed by legal professionals.  

Despite law enforcement efforts, Acreed’s rapid adoption highlights the resilience of underground markets and the persistent demand for credential-harvesting tools. Law firms must implement phishing-resistant MFA, limit browser diversity, and monitor for exposed credentials on the dark web.  

3. Nation-State and Criminal Convergence: Moonstone Sleet & Qilin 

In a striking development, North Korea’s Moonstone Sleet deployed Qilin ransomware, a commercially available Ransomware-as-a-Service (RaaS) platform, in attacks against software firms. This convergence of state and criminal capabilities complicates attribution and increases the risk of legal entanglements.  

For law firms, this raises the stakes. If a ransomware attack is linked to a sanctioned entity, paying the ransom could violate international law. Firms must ensure their incident response plans include legal consultation and threat actor attribution capabilities.  

4. Quadruple Extortion: Qilin’s Legal Harassment Tactics 

Qilin has expanded its extortion toolkit to include legal intimidation and customer harassment. This includes filing complaints with regulators, contacting clients using stolen PII, and threatening reputational damage.  

This tactic is particularly dangerous for law firms, where client trust is paramount. A breach followed by direct client harassment could irreparably damage relationships and brand reputation. Firms must prepare for multi-vector extortion scenarios and ensure their crisis communications and legal teams are integrated into incident response planning.  

5. Ransomware Cartels and White-Label Services: DragonForce & RansomBay 

The DragonForce cartel and its associated platform RansomBay represent a new phase in ransomware operations. These groups offer affiliates the ability to rebrand ransomware payloads, operate under custom identities, and access support services like call centres and negotiation bots.  

This franchise-style model lowers the barrier to entry for cybercriminals and increases the volume and diversity of attacks. For law firms, this means more frequent, more targeted, and harder-to-attribute attacks. Defensive strategies must evolve to address this decentralised threat landscape.  

6. AI-Driven Extortion: GLOBAL Ransomware 

The GLOBAL RaaS platform introduced an AI-powered negotiation chatbot, designed to automate and scale extortion communications. This innovation increases pressure on victims and reduces opportunities for human-led negotiation tactics.  

Law firms must anticipate the psychological and operational impact of AI-driven extortion. This includes training incident response teams to identify and counter AI negotiation patterns, and ensuring rapid intelligence sharing across sectors.  

Financial impact and sector-specific trends  

Quorum Cyber’s data shows a 53% increase in initial ransomware demands between Q1 2022 and Q1 2025, with the legal sector often facing demands tailored to its perceived ability to pay and the sensitivity of its data.  

While finance and manufacturing sectors saw the highest increases (+179% and +97% respectively), law firms are not immune. The professionalisation of RaaS platforms means attackers are increasingly pricing their demands based on sector, size, and perceived risk tolerance.  

Checklist for legal security professionals   

To counter these evolving threats, Quorum Cyber recommends the following:  

1. Harden Cloud Storage and Key Management 

• Disable customer-managed encryption features like AWS SSE-C unless strictly required.  

• Implement logging and alerting on changes to encryption policies and access permissions.  

2. Enhance User Awareness 

• Train staff on social engineering tactics, including fake job offers and credential phishing.  

• Encourage timely reporting of suspicious activity.  

3. Deploy Phishing-Resistant MFA 

• Use FIDO2 security keys or device-bound passkeys for privileged accounts.  

• Avoid SMS or app-based OTPs due to increasing vulnerability.  

4. Implement Conditional Access Policies 

• Dynamically assess user identity, device posture, and location before granting access.  

• Enforce regular MFA refresh intervals, every 2–3 days for general users, every 8 hours for admins.  

5. Monitor for Credential Exposure 

• Establish continuous monitoring for exposed credentials and brand impersonation.  

• Rotate credentials promptly and assess potential access paths if exposures are found.  

6. Prepare for Multi-Vector Extortion 

• Integrate legal, communications, and technical teams into incident response planning.  

• Develop playbooks for client harassment, regulatory complaints, and reputational attacks.  

Intelligence-led defence for legal practices  

Security leaders in the legal sector face a distinct challenge, protecting high-value data in a threat landscape shaped by professionalised cybercrime. The insights in this report are designed to support strategic decision-making, helping you anticipate attacker behaviour, strengthen resilience, and safeguard client trust. Staying ahead means leading with intelligence, collaboration, and continuous visibility.   

Read the full report to stay ahead of emerging threats: Relentless Threats: 2025 Mid-Year Global Cyber Risk Outlook.