Home / Insights / The 2026 law firm ransomware wave: why legal became a top target

The 2026 law firm ransomware wave: why legal became a top target

By Jamie Kloncz, Founder, RankShield · Updated July 13, 2026 · Informational, not legal advice.

Halcyon tracked more than 200 ransomware incidents against the Law Firms and Legal Services sector across 2025 and early 2026, and one group, INC Ransom, claimed 10 firms in a single 48-hour window [1]. The threat now includes in-person intrusion, with operators physically entering U.S. law firm offices to steal data directly [2]. Because privilege and trade secrets never expire, stolen legal files hold extortion leverage indefinitely [3]. The law firm ransomware 2026 wave is no longer a collection of isolated incidents; it is a sustained, sector-wide campaign. In an alert published on March 11, 2026, ransomware intelligence firm Halcyon documented the scale of the pressure on legal services [1]. This article walks through the numbers, the groups behind them, a physical intrusion tactic that upends standard security assumptions, the economics that make privileged files uniquely valuable, and what a defensible evidence trail requires once a breach has already happened.

How many law firms have been hit by ransomware in 2025 and 2026?

The most concrete public count comes from Halcyon, whose March 11, 2026 alert tracked more than 200 ransomware incidents against the Law Firms and Legal Services sector across 2025 and early 2026 [1]. That figure covers tracked incidents only, so it represents a floor rather than a ceiling; victims who pay quietly or never appear on leak sites are not captured. Even as a floor, 200-plus incidents in a little over a year marks legal services as one of the most heavily pressured professional sectors, and the trend line runs through early 2026 rather than tapering off.

The tempo is as telling as the total. INC Ransom claimed 10 law firms in a single 48-hour window and roughly 20 firms in 2026 year-to-date [1]. Notably, Halcyon found no confirmed supply-chain vector behind the surge [1]. That absence matters: these firms were not swept up through one compromised vendor or a shared software flaw. Each intrusion appears to have been earned individually, which points to a repeatable playbook aimed at the sector itself. When attackers invest in firm-by-firm targeting at that pace, the campaign is deliberate, not opportunistic.

Which groups are targeting legal, and why now

Two names dominate the current wave. INC Ransom is running what Halcyon describes as a rapid campaign against law firms, with the 48-hour, 10-firm burst as its signature statistic [1]. The Silent Ransom Group, meanwhile, has distinguished itself with a data-theft focus that extends beyond the network entirely, including physical entry into offices [2]. Both operate as extortion businesses first: the objective is leverage over the victim, and tactics are chosen for whatever most reliably produces files a firm cannot afford to see published.

Why legal, and why now? A law firm concentrates the crown-jewel information of every client it serves: deal terms, litigation strategy, trade secrets, and personal records, all in one environment. Compromising a single firm can yield leverage over dozens or hundreds of organizations at once, without attacking any of them directly. Add the profession’s duty of confidentiality, which raises the reputational cost of a leak far above that of a typical corporate breach, and the sector offers extortionists an unusually favorable ratio of pressure generated per intrusion. The 2025 and 2026 numbers suggest attackers have internalized that math.

The in-person intrusion tactic that changes the threat model

The Silent Ransom Group has used in-person physical intrusion against U.S. law firms, with operators entering offices to steal data directly, according to Halcyon and corroborating reporting from Dark Reading [2][3]. This is not social engineering over the phone; it is a person walking into a workplace. For a threat category most firms file under IT, the reappearance of physical tradecraft is a significant shift, and it deliberately routes around the detection tooling that firms have spent the past decade deploying at the network and endpoint layers.

Physical intrusion invalidates the quiet assumption behind most security programs: that the attacker is remote. Email filtering, endpoint detection, and VPN hardening do nothing about someone standing at an unattended workstation. Countering it pulls facilities and operations into the ransomware conversation, because the controls that matter now include things no security appliance touches:

Why extortion economics make privileged files the highest-value loot

Most stolen data depreciates. Payment cards get reissued, passwords get rotated, and personal records lose freshness. Legal data is the exception, because confidentiality is permanent: privilege and trade secrets never expire, so a stolen file retains its leverage for as long as the underlying matter is sensitive [3]. A settlement strategy, a patent draft, or an estate file can damage a client decades after the breach itself. That permanence is what makes privileged files the highest-value loot in the extortion economy; the threat of disclosure never ages out, and the attacker knows it.

The same permanence creates a quantum-era problem known as harvest now, decrypt later. Encrypted data stolen today can be stored cheaply and decrypted in a future era when quantum computers can break the public-key cryptography that protected it. For most industries that risk is bounded, because the data will be stale before decryption becomes feasible. For legal files that must stay confidential indefinitely, it is not bounded at all. Long-lived client files, IP portfolios, and matter archives are exactly the category where post-quantum protection stops being theoretical and becomes a straightforward duty-of-care question.

What a tamper-evident evidence trail adds after a breach

After a ransomware incident, a firm faces a second crisis that gets less attention than the encryption: every internal record is now suspect. An intruder who obtained administrator access could have edited or deleted logs, so the systems that would normally answer what happened and what was touched can no longer vouch for themselves. Clients, regulators, and insurers will each ask for proof, not assertions. A firm that can only answer with records the attacker could have altered is negotiating its credibility at exactly the moment credibility is worth the most.

This is where a tamper-evident evidence trail earns its place: records that are hash-chained, signed with post-quantum cryptography, and sealed to an external transparency log stay verifiable even after the environment they came from is compromised. RankShield Legal provides that record layer. It does not prevent ransomware, and it does not replace endpoint defense or incident response. What it adds is the ability to demonstrate, with independently checkable evidence:

Frequently asked questions

How many law firms have been hit by ransomware in 2025 and 2026?

Halcyon, a ransomware intelligence firm, tracked more than 200 ransomware incidents against the Law Firms and Legal Services sector across 2025 and early 2026 in an alert published March 11, 2026 [1]. One group, INC Ransom, claimed 10 firms in a single 48-hour window and roughly 20 firms in 2026 year-to-date. Because the count covers tracked incidents only, the true number is likely higher.

What is the in-person intrusion tactic being used against law firms?

The Silent Ransom Group has physically entered U.S. law firm offices to steal data directly, according to Halcyon and corroborating reporting from Dark Reading [2][3]. Instead of relying only on phishing or remote exploits, operators walk into the workplace itself. That bypasses email filtering and endpoint tooling entirely, which means visitor management, screen locks, and physical access records are now part of a firm’s ransomware defense alongside its technical controls.

Does RankShield prevent ransomware attacks on law firms?

No. RankShield Legal is not an anti-ransomware endpoint product or an incident-response service. Its role is evidence integrity: it seals records to tamper-evident, hash-chained, post-quantum-signed logs so a firm can prove what its systems did and which data survived intact, even if an intruder gained administrator access. Firms still need endpoint defense, backups, and professional incident response; RankShield makes the record of events trustworthy after the fact.

RankShield Legal is a verifiable AI and quantum security platform for law firms: it seals records to tamper-evident, post-quantum-signed logs that stay trustworthy even after a compromise. This article is general information, not legal or security-incident advice; consult qualified counsel and incident-response professionals.

References

[1] Halcyon. INC Ransom group mounts rapid campaign against law firms. https://www.halcyon.ai/ransomware-alerts/inc-ransom-group-mounts-rapid-campaign-against-law-firms

[2] Halcyon. An old tactic returns: Silent Ransom Group’s active use of physical intrusion against U.S. law firms. https://www.halcyon.ai/ransomware-alerts/an-old-tactic-returns-silent-ransom-groups-active-use-of-physical-intrusion-against-u-s-law-firms

[3] Dark Reading. Ransomware actors steal law firm data. https://www.darkreading.com/cyberattacks-data-breaches/ransomware-actors-steal-law-firm-data

Verify your filings before you sign them.

RankShield Legal certifies that cited authorities exist, are quoted accurately, and are good law before you file, and proves privileged material never reached a third-party AI model. Request early access to the legal pillar of the RankShield Network.

Request early access