Your clients trust your firm with their most sensitive information. What happens when cybercriminals target that trust?
That is no longer a hypothetical question.
A new threat intelligence report from Halcyon reveals that the INC Ransom group has launched a rapid and highly targeted campaign against law firms, using credential theft, remote access tools, and built-in administrative utilities to quietly move through legal environments before launching ransomware. According to the original threat alert from Halcyon Research, the attackers are specifically leveraging legitimate Windows tools for lateral movement and data theft before encryption begins.
For managing partners, executive committees, firm administrators, and legal operations leaders, this raises an uncomfortable question:
If a ransomware group deliberately targeted your firm tomorrow, would your current security stack stop them before client data, privileged communications, or active matters were compromised?
According to the threat researchers at Halcyon, the INC Ransom group is actively targeting law firms using a combination of:
• Credential abuse
• Remote access utilities
• Living off the land techniques
• Native Windows administrative tools
• Lateral movement across endpoints
• Data exfiltration before encryption
This matters because these attacks do not always look like malware.
To your security tools, much of the activity can appear to be legitimate administrative behavior. By the time encryption starts, the attackers may already have copied confidential client files, litigation documents, financial records, M&A materials, intellectual property, and privileged attorney communications.
For a law firm, that is not just a cyber incident.
That is a business continuity event.
That is an ethics event.
That is a client trust event.
Because few organizations hold more concentrated, high value information than law firms.
Consider what exists inside your environment:
• Confidential client communications
• Litigation strategy documents
• M&A due diligence files
• Patent applications
• Settlement negotiations
• Regulatory filings
• Financial records
• HR and compensation data
• eDiscovery repositories
• Remote attorney access systems
To an attacker, a law firm is not just a business.
It is a vault of highly monetizable intelligence.
Law firms are also uniquely vulnerable because attackers know many firms operate with:
• Distributed attorneys
• Remote access from multiple devices
• Third-party litigation vendors
• Cloud document repositories
• Time and billing platforms
• Legacy practice management systems
Every connection becomes another possible entry point.
This is where cyber risk becomes legal risk.
If attackers access your environment before ransomware encryption begins, they may already have:
• Copied privileged communications
• Downloaded active litigation documents
• Accessed confidential settlement negotiations
• Extracted intellectual property files
• Obtained merger documentation
• Captured financial records
At that point, the issue is no longer just operational downtime.
Now you may be dealing with:
• Attorney-client privilege exposure
• Potential malpractice claims
• Client notification obligations
• Regulatory disclosure requirements
• Ethics compliance reviews
• Reputational damage
Guidance from the American Bar Association continues to emphasize that attorneys have a duty to take reasonable steps to safeguard client information in digital environments.
Cybersecurity is no longer just an IT issue.
It is part of modern legal ethics.
The financial impact of ransomware is already severe across every industry.
According to the 2025 report from IBM, the global average cost of a data breach is $4.44 million, while the average U.S. breach cost has climbed to $10.22 million.
According to the 2025 report from Verizon Communications, credential abuse accounts for 22 percent of breach entry points, while vulnerability exploitation accounts for 20 percent of breaches. Third-party involvement has doubled to 30 percent.
For law firms, the true cost often goes beyond these numbers:
• Lost billable hours
• Delayed filings
• Interrupted litigation timelines
• Inaccessible document management systems
• Disabled billing platforms
• Attorney productivity loss
• Client confidence erosion
• Potential client attrition
When attorneys cannot access case files, the revenue clock does not stop.
Yes.
That is exactly what makes campaigns like this so dangerous.
Traditional endpoint detection and response tools are designed to:
Detect suspicious behavior
Alert security teams
Respond after malicious activity begins
But attackers increasingly bypass detection by:
• Using stolen credentials
• Running legitimate administrative tools
• Disabling security services
• Moving laterally through trusted applications
• Blending into normal system activity
By the time alerts are investigated, the attackers may already have accessed privileged legal data.
Detection is important.
But detection alone may come too late.
Modern ransomware groups are no longer relying solely on malware.
They are relying on trust.
Trust in credentials.
Trust in administrative tools.
Trust in approved applications.
Trust in remote access.
This is why “Detect and Respond” is becoming increasingly difficult.
Attackers exploit:
• EDR bypass techniques
• Credential abuse
• Living off the land attacks
• Delayed detection windows
• Security tool tampering
• Rapid encryption workflows
In many cases, the first visible sign of compromise is the ransom note.
By then, the damage is already underway.
Leading security teams are shifting toward Isolation and Containment.
Instead of waiting for malicious behavior to be detected, this model focuses on:
• Preventing unauthorized applications from executing
• Restricting process privilege escalation
• Limiting attacker movement between endpoints
• Protecting privileged legal data at the endpoint
• Reducing blast radius
• Preventing encryption before it starts
This is where solutions like AppGuard come into the conversation.
AppGuard is a proven endpoint protection solution with a 10-year track record focused on prevention through Isolation and Containment.
Rather than assuming detection will always be fast enough, prevention-first architectures assume attackers will eventually get in and focus on stopping execution before damage occurs.
For law firms protecting privileged communications, that mindset matters.
Managing partners and firm leadership should assume that detection alone may fail.
Practical next steps include:
• Assume credential compromise is inevitable
• Add prevention layers at every endpoint
• Reduce endpoint execution freedom
• Review attorney and staff endpoint privileges
• Audit third-party vendor access
• Segment document management systems
• Protect remote attorneys and hybrid workers
• Test ransomware failure scenarios during active matters
• Validate backup integrity regularly
• Review cyber liability coverage
• Update incident response plans for privilege-related events
• Verify access controls across eDiscovery and billing platforms
The goal is not simply to recover faster.
The goal is to prevent operational disruption from happening in the first place.
Managing partners, firm administrators, and legal leaders who want to better understand how prevention-first security can stop attacks before client data, privileged communications, or firm operations are compromised should talk with CHIPS about how AppGuard can help prevent incidents like this through Isolation and Containment.
Like this article? Please share it with others!