IronSights
All insights

threat intelligence

Ransomware groups are targeting Australian law firms. Here's what the data says.

Two Australian law firms were listed on ransomware leak sites in 2025. A third had network access sold on a criminal forum for US$1,000. QBE's threat intelligence report puts attack volumes against the legal sector up 54% year on year. Here's what the data says about who's doing it and what actually helps.

By IronSights Editorial, Practitioner team7 July 20264 min read
ByIronSights Editorial7 July 20264 min read

Two Australian law firms appeared on leak sites in 2025. One in New South Wales, one in Adelaide. Both were listed by Lynx, a ransomware group that specifically targets the legal sector.

A third Australian firm's network access was purchased on a criminal forum for US$1,000. The buyer was GLOBAL GROUP, an emerging ransomware operation active in Australia from mid-2025. That's roughly A$1,520 for a foothold into your network. Less than a morning's billable time for a senior partner.

When security researchers say law firms are "targeted," this is what it looks like in practice. Not appearing in aggregate statistics alongside other industries. Ransomware groups buying their way in specifically, listing firms by name, and demanding ransoms that averaged A$930,000 against the legal sector in 2025.

Why law firms

Ransomware works by finding leverage. The leverage works when paying is cheaper than not paying. Law firms are good targets because client data held by a firm creates a type of pressure most businesses don't face.

M&A negotiations that could move markets if disclosed early. Privileged communications between clients and counsel that cannot be shared under any circumstances. Litigation strategy, settlement positions, matters that clients trusted to solicitor-client privilege. If a retailer's customer database gets stolen, they have a breach notification problem. If a firm's client communications get published, they have a problem that goes considerably further.

QBE's May 2026 report on the legal sector puts it plainly: given the sensitivity of data held by law firms, the threat from ransomware actors is likely to continue. These groups are not here by accident.

The groups active right now

RansomHub and Black Basta, two prolific groups from 2024, appear to have wound down. Others have taken their place.

Qilin and Akira are currently the most active globally. INC Ransom listed 20 legal sector firms in 2026, ten within a two-day window. QBE notes the pace suggests a common third-party supplier was compromised, which gave the group access to multiple firms at once rather than targeting each individually.

Silent Ransom Group (also known as Luna Moth) targets law firms almost exclusively. Their approach is callback : spam emails claiming the recipient has an unwanted subscription, a phone number to call to resolve it, and on that call someone impersonating IT support talks the victim into installing remote access software. No , no exploit. Just a phone call. Once they have access they steal data and threaten to publish it unless paid.

GLOBAL GROUP buys network access from initial access brokers, criminal intermediaries who compromise organisations and sell the entry point on, then run their own ransom operations from there.

The mandatory reporting change

Since May 30, 2025, Australia's mandatory ransomware reporting regime has been in force. A ransomware incident requires notification to the within 72 hours. Non-compliance carries a penalty of up to A$19,800.

If your firm doesn't have an that includes ASD notification, you're unprepared and potentially looking at penalties on top of whatever the incident itself costs.

The numbers

QBE puts attack volumes against the legal sector up 54% between 2024 and 2025. Average ransom demands rose from US$383,000 to US$611,000 over the same period. Microsoft's Digital Defense Report 2025 ranked legal as the eighth most targeted industry globally. Globally, claimed ransomware victims across all sectors hit 8,159 in 2025, up from 6,129 in 2024 and 5,336 in 2023.

What helps

On backups: ransomware groups know firms lean on them to avoid paying, so they routinely try to locate and destroy backup systems before deploying the payload. A backup on the same network it's protecting can be encrypted in the same attack. And a backup that has never been tested by actually restoring from it is not a known working backup. Offline, tested, isolated from the primary network.

On patching: exploitation increased 42% in 2025. VPNs, firewalls, and file-transfer platforms were the most commonly exploited categories. Quarterly patching cycles are not fast enough for the current pace of exploitation. Internet-facing systems need active monitoring and rapid patch deployment.

On credentials: nine in ten cyberattacks start with compromised credentials. on email and remote access raises the cost of credential attacks enough that most opportunistic groups move on to easier targets.

On staff: Silent Ransom Group's callback phishing bypasses all of the above because the victim installs the software themselves. The mitigation is not technical. It's people knowing that any unexpected call from "IT support" asking them to install something should be verified through an independent channel before they do anything.

The insurance piece

Cyber premiums fell roughly 10% through 2025 while claims rose 32.5% in 2024. Coverage is cheaper than the market peak and the risk is higher. If you haven't looked at your policy since the mandatory reporting regime came in, it's worth doing. Notification costs, regulatory response, and legal counsel around the 72-hour window all have a price that older policies may not fully cover. If you'd like to talk through where your firm stands, get in touch.

Keep reading

More from the IronSights team.