Keypoints
- Legal firms are primary targets: 20% of US law firms were targeted in the past year, with 56% of breached firms losing sensitive client information and an average breach cost of $5.08 million.
- RansomHub has emerged as a dominant ransomware actor in 2025 by offering affiliates a 90/10 split, drawing talent from groups like LockBit and ALPHV/BlackCat.
- Qilin, a Rust-based ransomware, targets legal entities with encryption-resistant payloads that make recovery extremely difficult.
- Attackers achieve prolonged dwell times inside firm networks (from under 24 hours to over 5 days), systematically locating crown-jewel intelligence before extortion or exfiltration.
- Attorney-client privilege and court rulings (e.g., Capital One, Samsung, Covington & Burling) have eroded investigative protections, increasing legal and regulatory exposure for breached firms and their clients.
- Enterprises should eliminate exemptions for professional services, require SOC 2/independent audits, map concentration risk, enforce time-bound access and retention rules, deploy honeytokens and specialized IR playbooks, and monitor vendors for C2 and leak-site indicators.
MITRE Techniques
- [T1071 ] Application Layer Protocol – C2 communication observed: ‘malware communicating with malicious command-and-control (C2) servers.’
- [T1486 ] Data Encrypted for Impact – Ransomware encrypting victim data to extort payment: ‘Qilin’s Rust-based ransomware has specifically targeted legal entities with encryption-resistant payloads, making recovery nearly impossible.’
- [T1041 ] Exfiltration Over C2 Channel – Data theft and potential exfiltration used to build leverage for extortion: ‘a malicious implant does not equate to a full breach and exfiltration of client-sensitive data; however, it is a valuable signal…’
- [T1550 ] Use of Valid Accounts – Attackers leveraging harvested credentials or API tokens for access and lateral movement: ‘the use of API tokens, credential harvesting, and VPN pivoting.’
- [T1021 ] Remote Services – Remote access/pivoting through VPNs or remote services to move within victim networks: ‘VPN pivoting.’
Indicators of Compromise
- [Malware/Threat Names ] Ransomware families and groups reported targeting legal firms – Qilin, RansomHub.
- [Victim Organizations ] Examples of affected firms cited as context for impacted data and intelligence exposure – Berkeley Research Group, Williams & Connolly.
- [Extortion/Leak Sites (domains) ] Ransomware extortion/leak site activity tracked as part of monitoring – referenced “ransomware extortion sites” (no specific domains published in article).
- [C2 Servers (IPs/Domains) ] Malicious command-and-control infrastructure observed communicating with implants – referenced “malicious command-and-control (C2) servers” (no IP addresses provided).
- [Artifact/String/File name ] Embedded indicator or artifact shown in reporting/infographic – “rxkipoqeu6” (appears in the article/infographic as a sample indicator).
Read more: https://www.recordedfuture.com/blog/the-hidden-cascade