A Florida law firm with over 40 years of operation now faces a seven-day countdown. Rhysida ransomware group has encrypted their systems and stolen sensitive client data, demanding 11 Bitcoin approximately $1 million USD. The attackers posted the stolen information on dark web markets, including medical records, court documents, and confidential legal files from Falk, Waas, Hernandez, Cortina, Solomon & Bonner.
This attack isn't isolated. Rhysida struck another law firm just weeks earlier, and legal services experienced 79 ransomware attacks in Q3 2025 alone the highest rate since 2020. Law firms hold uniquely valuable data: merger documents, tax returns, litigation strategies, and privileged communications. This makes them premium targets for ransomware groups using double extortion tactics.
This post examines Rhysida's attack methods, why legal firms face escalating threats, and practical defenses your organization can implement today.
Understanding the Rhysida Threat Actor
Rhysida emerged in May 2023 as a Ransomware-as-a-Service operation. The group combines aggressive encryption with data theft, forcing victims to pay both for file recovery and to prevent data publication. Their technical sophistication and targeting strategy make them particularly dangerous to professional services firms.
Attack Statistics and Patterns
Rhysida has conducted 91 confirmed attacks since operations began, compromising 5.5 million records. Their average ransom demand sits at $1.1 million, though they've demanded as much as $5.8 million from the Port of Seattle. Eight confirmed attacks occurred in 2025, with 45 additional unconfirmed claims through September.
The group primarily targets organizations in the United States, United Kingdom, Italy, and Spain. Notable victims include the British Library, Chilean Army, Maryland Transit Administration, and multiple law firms in recent months.
Technical Capabilities
Rhysida uses 4096-bit RSA encryption combined with ChaCha20 algorithms. This dual-layer approach makes unauthorized decryption effectively impossible without the attackers' keys. Encrypted files receive the .rhysida extension, and victims find ransom notes in affected directories.
Table: Rhysida Attack Methodology
| Phase | Technique | Impact |
|---|---|---|
| Initial Access | Compromised VPN without MFA | Credential theft enables network entry |
| Privilege Escalation | Zerologon vulnerability (CVE-2020-1472) | Domain controller compromise |
| Lateral Movement | Cobalt Strike, PsExec | Spreads across network segments |
| Data Exfiltration | Bulk transfer before encryption | Enables double extortion |
| Encryption | RSA 4096 + ChaCha20 | Files become inaccessible |
Why Law Firms Face Elevated Risk
Legal practices present three characteristics that attract ransomware operators: valuable data, time-sensitive operations, and historically weak security postures. Understanding these factors helps explain the surge in attacks against legal services.
The Value Proposition for Attackers
Law firm data commands premium prices on criminal markets. Client files contain corporate secrets, financial records, medical information, and litigation strategies. A single breach can expose hundreds of clients simultaneously, multiplying the extortion opportunities.
Consider the ransom economics. The average demand against law firms reaches $2.47 million, with average payments of $1.65 million. These figures exceed most other sectors. The highest recorded demand hit $21 million against Grubman Shire Meiselas & Sacks in 2020.
Time Pressure Amplifies Leverage
Court deadlines, statute of limitations, and active negotiations create urgency that cybercriminals exploit. A ransomware attack during active litigation can force rapid payment decisions. Firms face ethical obligations under ABA Rule 1.6 to protect client confidentiality, adding regulatory pressure to recover quickly.
Security Investment Gaps
Many law firms operate with limited IT budgets and minimal security staff. Partners often resist security measures that slow workflows. Remote access capabilities expanded rapidly during 2020 without corresponding security hardening. These factors create exploitable weaknesses.
Table: Law Firm Breach Statistics 2024-2025
| Metric | 2024 | 2025 (Q1-Q3) |
|---|---|---|
| Total Attacks | 45 | 79 |
| Records Compromised | 1.5 million | 2.1 million (projected) |
| Weekly Attack Rate | 925 | 1,055 |
| Firms Experiencing Incidents | 18% | 20% |
Common Entry Points and Attack Vectors
Rhysida and similar groups exploit predictable weaknesses in professional services networks. Identifying these entry points enables targeted defense investments.
Credential Compromise
Phishing campaigns remain the leading initial access method. Attackers send convincing emails impersonating clients, courts, or service providers. These messages contain malicious links or attachments that harvest credentials or deploy malware.
VPN access without multi-factor authentication provides another common entry. Stolen or weak passwords grant attackers authenticated network access. Some groups purchase credentials from initial access brokers on criminal forums.
Social Engineering Tactics
Rhysida has posed as cybersecurity teams offering threat assessments. They contact firms claiming to have identified vulnerabilities, then use the conversation to deploy malware. Other campaigns impersonate software vendors, court systems, or prospective clients.
Technical Vulnerabilities
Known vulnerabilities in VPN appliances, remote desktop services, and network equipment provide entry when patches lag. The Zerologon vulnerability (CVE-2020-1472) remains exploitable in unpatched environments despite Microsoft releasing fixes in 2020.
SEO poisoning and typosquatted domains trick users into downloading malware. Attackers create fake legal research sites, document template repositories, or case law databases that deliver malicious payloads.
Defense Strategies for Legal Practices
Effective ransomware defense requires multiple layers. No single control prevents all attacks, but combining technical, procedural, and human elements significantly reduces risk.
Access Control Hardening
Implement multi-factor authentication on all remote access points. This single measure blocks the majority of credential-based attacks. Use phishing-resistant MFA methods like hardware tokens or passkeys rather than SMS codes.
Segment networks to contain breaches. Legal matter files, financial systems, and administrative networks should operate on separate segments with controlled access between them. This limits lateral movement during attacks.
Apply principle of least privilege. Staff should access only the systems and data necessary for their roles. Review permissions quarterly and remove unnecessary access promptly.
Email Security Measures
Deploy DMARC, DKIM, and SPF authentication protocols. These standards prevent email spoofing and reduce phishing success rates. Configure DMARC to "reject" policy after testing.
Implement advanced email filtering that analyzes links, attachments, and sender behavior. Train the system on common legal communication patterns to reduce false positives while catching threats.
Table: Essential Security Controls Priority Matrix
| Control | Implementation Difficulty | Impact on Attacks | Priority |
|---|---|---|---|
| MFA on all remote access | Low | Blocks 80%+ credential attacks | Critical |
| Email authentication (DMARC) | Medium | Reduces phishing 60-70% | High |
| Network segmentation | High | Limits breach spread 90%+ | High |
| Endpoint detection and response | Medium | Detects 70-80% of threats | High |
| Regular backup testing | Low | Enables recovery without ransom | Critical |
| Security awareness training | Low | Reduces user errors 40-50% | Medium |
Backup and Recovery Preparation
Maintain offline backups that ransomware cannot encrypt. Test restoration procedures monthly. Document recovery time objectives and prioritize critical systems.
Store backups in immutable storage or air-gapped systems. Cloud backups should use versioning with retention policies that preserve pre-infection copies. Verify backup integrity through regular restoration exercises.
Monitoring and Detection
Deploy endpoint detection and response tools that identify ransomware behaviors. Look for unusual file encryption patterns, mass file modifications, and suspicious process execution.
Monitor for data exfiltration attempts. Large transfers to external destinations, especially during off-hours, warrant immediate investigation. Set alerts for access to sensitive document repositories.
Incident Response Considerations
Despite best efforts, some organizations face active ransomware incidents. Advance preparation improves outcomes significantly.
Immediate Actions
Isolate affected systems without powering them down. Disconnecting network cables or disabling Wi-Fi prevents spread while preserving forensic evidence. Do not delete ransom notes or encrypted files.
Activate your incident response plan. Contact your cyber insurance carrier, legal counsel, and cybersecurity incident response firm. Early notification preserves coverage and enables faster response.
Document everything. Capture screenshots of ransom notes, record timelines, and preserve logs. This information supports investigation, insurance claims, and potential law enforcement involvement.
Communication Strategy
Determine notification obligations under state breach notification laws and professional ethics rules. Many jurisdictions require notification within specific timeframes. Client notification may be mandatory even before full investigation completes.
Prepare internal communications for staff. Employees need clear guidance on what to say to clients, opposing counsel, and courts. Inconsistent messaging creates additional problems.
Recovery Decisions
Paying ransoms doesn't guarantee data recovery or deletion. FBI and CISA recommend against payment, but organizations must weigh operational requirements, data sensitivity, and legal obligations. Consult legal counsel before making payment decisions.
Even with backups, recovery takes time. Plan for degraded operations during restoration. Identify critical systems for priority recovery and communicate realistic timelines.
Key Takeaways
- Rhysida ransomware targets law firms specifically, with attacks increasing 76% in 2025 compared to 2024
- Multi-factor authentication on all remote access blocks over 80% of credential-based attacks
- Law firm data commands premium ransoms averaging $2.47 million due to confidentiality requirements and time pressures
- Offline backups tested monthly provide the most reliable recovery option without paying ransoms
- Network segmentation contains breaches and limits attacker movement between systems
- Email authentication protocols (DMARC, DKIM, SPF) significantly reduce successful phishing attempts
Conclusion
The Falk Waas attack demonstrates how ransomware groups identify and exploit vulnerabilities in professional services firms. Rhysida's success against multiple law firms in recent months signals that legal practices represent high-value targets with exploitable security gaps.
Defense requires commitment to fundamental security controls. Multi-factor authentication, network segmentation, email security, and tested backups block most attack paths. These measures require investment, but they cost significantly less than average ransom demands or operational disruption.
Review your security posture against the controls outlined in this post. Identify gaps, prioritize based on threat likelihood, and implement improvements systematically. The seven-day countdown facing Falk Waas could begin at any organization preparation determines whether you face impossible choices or manageable recovery.
Frequently Asked Questions
Q: Should organizations pay ransomware demands?
A: Law enforcement recommends against payment because it funds criminal operations and doesn't guarantee data recovery or deletion. However, organizations must consider operational requirements, data sensitivity, and legal obligations when facing active attacks. Consult legal counsel and cyber insurance carriers before making payment decisions.
Q: How long does recovery from ransomware typically take?
A: Recovery timelines vary from days to months depending on backup availability, system complexity, and damage extent. Organizations with tested offline backups typically restore critical systems within 3-7 days. Those without usable backups may face weeks or months of rebuilding, even if they pay ransoms.
Q: What makes law firms particularly attractive to ransomware groups?
A: Law firms hold uniquely valuable data including corporate secrets, financial records, and privileged communications. Time-sensitive deadlines create pressure for rapid ransom payment, and ethical obligations to protect client confidentiality add regulatory urgency. Historical security underinvestment makes many firms technically vulnerable.
Q: How can small law firms afford enterprise-grade security?
A: Focus on high-impact, low-cost controls first. Multi-factor authentication, cloud backup services, email authentication protocols, and password managers cost minimal amounts but block most attacks. Managed security service providers offer enterprise capabilities at scales appropriate for small firms.
Q: Will cyber insurance cover ransomware attacks?
A: Most cyber insurance policies cover ransomware, but coverage varies significantly. Policies typically cover ransom payments, forensic investigation, legal fees, and business interruption. However, insurers increasingly require specific security controls before binding coverage, particularly multi-factor authentication and tested backups. Review policy terms carefully.