Law firms have long been the target of ransomware. As indicated in the release of BakerHostetler’s Annual Data Security Incident Response (DSIR) on March 26, 2026, attacks show no signs of letting up. Last year, law firms found themselves increasingly targeted by hackers hoping to extract a ransom payment.
The 2026 DSIR from BakerHostetler, a law firm with a Digital Assets and Data Management (DADM) Practice Group focused on cybersecurity, forensic investigations, and incident response plans, offers key findings indicating that cyber threats from ransomware groups will continue to rise. This includes the ever-growing concern about the use of artificial intelligence (AI) as a tool. The data in the DSIR may serve as a clarion call for law firms to improve their network intrusion defenses, as the crosshairs they find themselves in aren’t likely to vanish anytime soon.
Please Don’t Make Your IT Department Hate You
The 2026 DSIR, which serves as the 12th annual report by BakerHostetler, draws on data gathered on Advanced Persistent Threats (APTs) from 2025. The firm was involved in more than 1,250 instances over the past year. While the healthcare field suffered the most ransomware attacks, law firms reported almost a doubling in incidents over the previous year.
The data provides a better understanding of how ransomware attacks work, what happens during the process, and the options available to the afflicted. Let’s take a look at some of the more interesting facets.
Sophisticated Phishing
For a ransomware attack to have a chance at success, it needs to gain access to a company’s network. While the root cause of the intrusion wasn’t determined in a little over a third of the instances, almost the same amount was accessed through phishing. This usually involves tricking an employee into clicking a deceptive link in a legitimate-looking email. Not surprisingly, 25% of breaches involved a third-party vendor. 21% included vulnerabilities exploited through endpoint detection and response (EDR) defenses that lacked updates or were otherwise insufficient.
Nice Data Management System You Got Here, Be a Real Shame if Something Were To Happen to It
Once perpetrators circumvent a company’s data protection, they have a few options. Data exfiltration is a common ploy, with a copy created off-site that can be used for blackmail. This usually involves payment demanded to keep the information from being shared. In some cases involving colleges, the data was released in an effort to embarrass the institutions.
Another prevalent tactic involves encrypting the data, making it inaccessible to the victim unless they pay a ransom to obtain a decryptor. Having access to a company’s email gives criminals another trusted outlet to expand their phishing operation. Other methods of securing funds from the company include installing malware or transferring funds to accounts held by the hackers. According to the DSIR, ransomware attacks stole more than $15 million through wire fraud in 2025, with about 27% being recovered.
The Cost of Everything Is Going Up, Including Crime
If you think the cost of chicken has skyrocketed over the past twelve months, wait until you hear about ransomware demands. The average initial demand rose to $4.2 million, up a stagging 70% from the year before. The amount eventually paid by the victims rose at about half that rate (34%), averaging just under $683,000. One of the key factors in negotiation times was the amounts involved, but most fell within a 20- to 60-day timeframe before reaching an agreement.
The cost of triage after a ransomware attack also increased. Victims could expect to pay about 10% more than in 2024 for the investigation and measures taken in the aftermath.
Why Couldn’t It Have Hallucinated Instead?
You’ll likely be less than shocked to hear that bad actors are using artificial intelligence as part of their ransomware attacks. According to the DSIR, usage is increasing as hackers can increase the speed and scale of their assaults with AI tools.
In addition, access has been gained through so-called “Shadow AI.” Employees who use unauthorized generative AI tools to increase productivity may inadvertently disclose information that gives criminals access to their company’s network or private information.
Chatty Spider Is Not Your Friend. Neither Is Luna Moth.
Law firm databases often contain a large amount of private information about their clients. This makes them a desirable target for ransomware operations, underscoring the need for robust defenses and effective information governance. Headaches for a compromised law firm can include sending notifications for a data breach, possible breach of contractual provisions, and potential ethics violations. This is further compounded by the confidential nature of deals under negotiation, pending lawsuits, and more.
A particular ransomware group, known as Chatty Spider, Luna Moth, or Silent Ransomware, combined old-school tactics with new technology. A member would call an attorney directly and, after claiming to be part of the firm’s IT department, request access to the attorney's computer. Once in, they’d exfiltrate as many files as possible. Soon after, the demands would be issued. Law firms and other professional services saw ransom demands range from $500,000 to $21 million, with the average just under $2 million. Payouts centered at about $450,000, the highest being $1.9 million.
Not Going Away Anytime Soon
In the “better late than never” department, more states are adopting comprehensive online privacy laws. As of January 1, 2026, 19 states have some manner of data protection and privacy laws in place. Law enforcement continues to develop new methods of chasing bad actors in cyberspace, but for now, the ransomware criminals have a pretty large head start. It pays to be cautious.
Related Resources
- Tips for Safeguarding Client Information (FindLaw’s Practice of Law)
- Online Safety Tips To Protect Your Personal Information (Online Scams and Consumer Laws)
- 7 Simple Steps To Protect Your Online Privacy (FindLaw’s Law and Daily Life)
