Why Law Firms Were the #1 Target for Cyberattacks in 2025

If you're a lawyer, you already know the stakes of confidentiality. What you may not know is how aggressively cybercriminals are betting on your firm's inability to protect it.

In just the first five months of 2024, 21 law firms filed data breach reports with state attorneys general — nearly matching the total of 28 from all of 2023. The trend hasn't slowed. According to Recorded Future's analysis, 2024 saw a record 45 ransomware attacks on law firms alone, compromising 1.5 million records. Legal firms remain the number one industry target for ransomware groups heading into 2025.

The question isn't if your firm will be targeted. It's whether you'll catch it when it happens.

The Numbers Don't Lie

The financial damage is staggering. The average cost of a data breach for law firms reached $5.08 million in 2024, a 10-percent increase from the prior year. For small firms and solo practitioners, the average sits around $36,000 — which, for a boutique practice, can be an existential event.

And it's not just about money. According to the American Bar Association's 2023 survey, only 34 percent of law firms have an incident response plan. Sixty-five percent of surveyed firms are unfamiliar with their legal obligations following a breach. Less than half conduct online data backups.

Meanwhile, under ABA Model Rule 1.6(c), lawyers are required to make reasonable efforts to prevent unauthorized access to client information. A breach doesn't just cost money — it can trigger malpractice claims and disciplinary proceedings.

Why Law Firms Specifically?

Law firms are uniquely attractive targets for three reasons:

Concentrated sensitive data. A single mid-size firm may hold trade secrets, M&A intelligence, medical records, financial statements, and litigation strategy for dozens of clients simultaneously. When Berkeley Research Group was hit by ransomware in March 2025 during a $700 million leveraged buyout, the attack exposed deal intelligence across hundreds of concurrent transactions.

Trusted-advisor exemption. Most third-party risk frameworks historically exempted law firms from the security scrutiny applied to other vendors. As Recorded Future noted, this creates a dangerous gap: firms hold the most sensitive data but face the least external pressure to secure it.

Low security maturity. The ABA's own data shows that 80 percent of firms rely on spam filters as their primary cybersecurity tool. Only 40 percent carry cyber liability insurance — down from 46 percent in prior years. Most firms lack dedicated IT security staff.

The Ransomware Groups Have Evolved

This isn't the work of amateur hackers. RansomHub emerged in 2025 as the dominant ransomware threat after absorbing operators from disrupted groups like LockBit and ALPHV/BlackCat. They offer affiliates a 90/10 profit split (versus the old 70/30 standard), attracting the most capable attackers in the ecosystem. Qilin's Rust-based ransomware specifically targets legal entities with encryption-resistant payloads.

These groups now maintain "dwell times" of weeks inside firm networks, systematically mapping high-value intelligence before triggering ransom demands. By the time you notice, they've already found the crown jewels.

What Small and Mid-Size Firms Can Do Right Now

Large firms can throw money at the problem. If you're running a leaner operation, focus on the fundamentals:

Get an incident response plan in writing. Only 34 percent of firms have one. Yours should define roles, communication protocols, and forensic procedures before a breach happens.

Implement real-time data monitoring. Know what sensitive data exists on your systems and when it moves. If a paralegal accidentally pastes a client's Social Security number into an AI chatbot, you need to catch that before it leaves your network.

Encrypt everything. At rest. In transit. On every endpoint. Follow the NIST Cybersecurity Framework or CISA's small business guidelines as your baseline.

Train your people. Phishing remains the most common attack vector. Regular, realistic simulations are worth more than any firewall.

Where Sonomos Fits

This is exactly the problem Sonomos was built to solve. Sonomos performs real-time, local-only sensitive data detection — flagging confidential information like SSNs, case numbers, and client names before they ever leave your device. No cloud. No third-party servers. No exposure window.

For law firms operating under ABA Model Rule 1.6(c), Sonomos provides the kind of "reasonable effort" the rule demands — without requiring a six-figure security budget. Combined with Sonomos's Cloak feature, which masks sensitive data before transmission, Sonomos gives small and mid-size firms enterprise-grade data protection that runs entirely on-device.

Your clients trust you with their secrets. Sonomos helps you keep that trust.

Learn more about how Sonomos protects legal professionals →

---

Last updated: February 2026