Regions Targeted: US, Europe, Israel
Related Threat Actors and Malware: UNC3753, Akira, Qilin, DragonForce, INC, The Gentlemen
Legal services organizations continue to face elevated cyber risk due to the vast quantities of confidential information they maintain on behalf of clients. Law firms, legal consultancies, title services, and compliance organizations routinely store merger and acquisition plans, litigation records, intellectual property, financial disclosures, personally identifiable information (PII), and privileged communications. Recent activity attributed to UNC3753 highlights a growing trend in which threat actors increasingly prioritize data theft and extortion over traditional ransomware deployment. As cybercriminal groups continue targeting the legal sector for its uniquely valuable information assets, organizations must strengthen both technical and operational defenses to protect client confidentiality, business continuity, and professional reputation.
Key Takeaways
Background
The legal sector occupies a unique position within the cyber threat landscape. Unlike many industries that primarily store information about their own operations, legal organizations routinely maintain highly sensitive information belonging to numerous external clients. A single compromise may expose litigation records, intellectual property, merger negotiations, regulatory investigations, financial disclosures, and confidential communications spanning multiple organizations and jurisdictions.
Threat actors increasingly recognize that compromising a law firm may provide access to information capable of generating extortion leverage against multiple victims simultaneously. This concentration of sensitive data, combined with the reputational and regulatory consequences associated with disclosure, makes legal services organizations particularly attractive targets for financially motivated threat actors. The current trajectory of the threat landscape indicates legal services organizations will likely remain priority targets throughout 2026 as cybercriminal groups continue shifting toward data theft and extortion-driven business models.
Why Legal Services Are Prime Targets
Legal organizations possess several characteristics that distinguish them from other professional services sectors. Law firms routinely maintain attorney-client privileged communications, litigation strategy documents, intellectual property, merger and acquisition materials, executive communications, financial disclosures, regulatory investigations, and personally identifiable information. Unlike payment card data or consumer credentials, many of these records retain their value and sensitivity for years or even decades.
Additionally, legal organizations often serve as centralized repositories for information belonging to numerous clients. A successful compromise may therefore impact multiple businesses, government entities, executives, and private individuals simultaneously. This creates significant opportunities for threat actors seeking financial gain through extortion, data theft, or public disclosure.
Key Threat Actors Targeting the Legal Sector in 2026
UNC3753 (aka Luna Moth / Chatty Spider / Silent Ransom Group)
UNC3753 is a financially motivated threat cluster active since at least 2022 that specializes in data theft and extortion operations. Unlike traditional ransomware groups, UNC3753 typically prioritizes stealing sensitive information rather than deploying file-encrypting malware. The group is known for sophisticated social engineering campaigns that leverage voice phishing (vishing), IT helpdesk impersonation, and legitimate remote administration tools to gain access to victim environments.
Recent reporting from Google Threat Intelligence Group identified an ongoing campaign targeting legal, financial, and professional services organizations throughout early 2026. The operation commonly begins with benign invoice-themed emails sent from consumer email accounts. These emails contain no malicious attachments or links and are designed solely to create confusion or concern before a follow-up phone call from a threat actor posing as internal IT personnel. Once contact is established, victims are persuaded to participate in screen-sharing sessions and install legitimate tools such as Microsoft Teams, Zoom, Quick Assist, AnyDesk, Bomgar, Zoho Assist, or SuperOps RMM. In some incidents, the entire attack chain, from initial contact to data theft and extortion, was completed within a single business day.
UNC3753 has demonstrated a particular interest in legal organizations due to the concentration of privileged client information and confidential business records they maintain. Investigators observed the group searching document management systems and repositories for tax records, client agreements, audit documentation, Social Security numbers, and other high-value information before exfiltrating data through cloud storage services, WinSCP, or Rclone. The group subsequently issues aggressive extortion demands, often threatening to contact clients directly or publish stolen information on its LEAKEDDATA data leak site. Recent reporting also suggests that actors associated with the group may have attempted physical intrusions by posing as technical support personnel and seeking direct access to endpoints.
UNC3753 represents one of the clearest examples of the shift toward human-centric intrusions. The group's success demonstrates how effectively threat actors can bypass traditional security controls by exploiting trust, authority, and routine business processes.
Akira
Akira emerged in 2023 and quickly became one of the most prolific ransomware operations targeting organizations across North America and Europe. The group typically combines ransomware deployment with large-scale data theft, allowing affiliates to pressure victims through both operational disruption and public exposure of stolen information. Akira has repeatedly targeted legal and professional services organizations, including firms responsible for managing confidential client and business information.
The group commonly gains access through compromised credentials, VPN appliances, remote access services, and other internet-facing infrastructure. Once inside a network, affiliates conduct reconnaissance, move laterally through the environment, exfiltrate sensitive data, and deploy ransomware to maximize business disruption. Akira maintains an active leak site where stolen information from non-paying victims is publicly disclosed.
Akira demonstrates that traditional ransomware operations remain highly effective against organizations managing large repositories of confidential information. For legal services organizations, exposure of client records may create greater risk than encryption itself.
Qilin
Qilin has emerged as one of the most active ransomware-as-a-service (RaaS) operations in the current threat landscape. The group provides affiliates with ransomware tooling, infrastructure, negotiation support, and data leak capabilities, enabling a wide range of actors to conduct attacks under the Qilin banner. Victim disclosures indicate broad targeting across numerous industries, including legal services organizations.
Qilin operations frequently involve both data theft and encryption, with stolen documentation used to increase extortion pressure during negotiations. The group's affiliates have demonstrated flexibility in their intrusion methods, leveraging phishing, compromised credentials, remote access services, and other common access vectors. The scale of the affiliate ecosystem significantly increases the likelihood that organizations in the legal sector may encounter Qilin-related activity.
Qilin's continued growth reflects the maturation of the ransomware-as-a-service ecosystem. The group's affiliate-driven model creates persistent risk for legal organizations because attacks may originate from numerous operators using different intrusion techniques.
DragonForce
DragonForce has expanded its presence within the ransomware ecosystem through aggressive affiliate recruitment, extortion operations, and public leak site activity. The group has increasingly emphasized theft of sensitive business information as a primary source of leverage, reflecting broader trends across the cybercriminal landscape.
DragonForce frequently uses public disclosure threats to pressure victims into negotiations and has demonstrated a willingness to target organizations responsible for managing confidential corporate information. While the group has historically been associated with ransomware deployment, its operations increasingly align with the broader trend toward data theft-driven extortion.
DragonForce highlights the growing importance of information theft within modern cyber extortion campaigns. For legal organizations, the threat of public disclosure may create greater operational and reputational risk than system encryption alone.
INC Ransom
INC Ransom is a financially motivated extortion group known for targeting organizations possessing sensitive financial, legal, healthcare, and corporate information. The group has repeatedly demonstrated an interest in organizations where disclosure of stolen information may generate significant reputational, regulatory, or contractual consequences.
INC Ransom operations typically involve data theft followed by aggressive extortion negotiations. Victims are often pressured through threats of public disclosure, leak site publication, and reputational harm. The group's victimology suggests a preference for organizations maintaining large quantities of sensitive business and personal information.
Legal services organizations align closely with INC Ransom's preferred targeting profile. The group's emphasis on public disclosure and reputational pressure makes organizations holding privileged legal records particularly attractive targets.
The Gentlemen
The Gentlemen ransomware operation represents another example of the increasingly blurred line between ransomware and data theft extortion. The group has targeted organizations across multiple sectors and leveraged both encryption and public disclosure threats as part of its operations.
While less prolific than some of the larger RaaS ecosystems, The Gentlemen reflects the continuing diversification of the cybercriminal landscape. Smaller and mid-tier ransomware groups continue to target organizations holding valuable information, including professional services firms, in search of extortion opportunities.
The Gentlemen reinforces a broader reality facing the legal sector: organizations are no longer threatened solely by major ransomware brands. A growing number of financially motivated actors recognize the value of confidential legal information and may view law firms as attractive targets regardless of organizational size.
High-Value Systems
Threat actors increasingly focus on platforms that centralize legal documentation and business-critical information.
Common targets include:
Recent UNC3753 activity specifically involved searches of document management systems and repositories containing tax records, legal agreements, financial documents, and personally identifiable information.
Emerging Trends
The Human Attack Surface
The success of recent campaigns targeting legal services organizations demonstrates a broader shift in cybercrime. Rather than attacking technology directly, threat actors increasingly target trust, authority, and business processes. Attorneys, paralegals, legal assistants, accountants, and administrative personnel routinely interact with clients, courts, regulators, vendors, opposing counsel, and service providers. Threat actors can exploit this operational reality through impersonation, fraudulent support requests, and social engineering campaigns designed to bypass technical controls.
AI-Enhanced Social Engineering
Threat actors are increasingly leveraging AI-generated content, automated reconnaissance, and emerging voice synthesis capabilities to improve phishing and vishing success rates. Legal professionals who routinely communicate with unfamiliar parties may be particularly vulnerable to highly tailored impersonation attempts.
Data Theft Without Encryption
Data theft and extortion campaigns continue to outpace traditional ransomware operations. Threat actors increasingly recognize that stealing confidential legal information may generate greater leverage than encrypting systems, while reducing operational complexity and recovery opportunities for victims.
Cloud Repository Targeting
As firms continue migrating operations to cloud-hosted platforms, attackers increasingly focus on SharePoint, OneDrive, Google Workspace, NetDocuments, and similar repositories rather than traditional file servers.
Supply Chain and Third-Party Risk
Legal organizations increasingly depend on managed service providers, e-discovery vendors, cloud platforms, contract review systems, and document management providers. Compromise of a trusted third party may create downstream exposure for numerous legal organizations and their clients.
Potential Business Impacts
Successful compromises may result in:
The downstream consequences of a legal sector breach frequently extend beyond the affected organization and impact clients, business partners, regulators, and other third parties.
Recommended Mitigations
Organizations within the legal sector should prioritize:
Analyst Commentary
The legal sector represents one of the clearest examples of how cybercrime has evolved from a technology problem into a business risk problem. Threat actors increasingly target information rather than infrastructure, recognizing that privileged communications, legal strategy documents, intellectual property, and client records can generate significant extortion leverage without disrupting operations.
For defenders, identifying these threats requires visibility beyond traditional malware detection. Many of the techniques used by modern extortion actors rely on legitimate software, compromised credentials, trusted cloud services, and social engineering rather than malicious binaries. This creates blind spots for organizations that rely exclusively on signature-based detection and conventional security tooling.
PolySwarm's crowdsourced threat intelligence ecosystem provides defenders with access to diverse malware analysis and detection perspectives that extend beyond any single security vendor. By leveraging intelligence from a broad network of detection engines and threat intelligence contributors, organizations can identify suspicious artifacts, emerging malware variants, and attacker infrastructure that may evade traditional point solutions. For legal services organizations tasked with protecting highly sensitive client information, this additional visibility can support faster artifact triage, improve threat validation workflows, and strengthen overall incident response and threat-hunting efforts.
IOCs
PolySwarm has multiple samples of malware associated with groups known to target legal services entities. Below is a selection of hashes of some of our most recent samples from those families.
Akira
1563aa07e24326dd801a4f8fb983790d60a298f58fe585978cd52f881702a450
5ce962907621dd4ac2455b2f921b5f56c035899cd81da9ec6eb646a8a7e985c8
3c07c8d01b67e870393eb03e5fd70f4730a9789976a47deae4c30386906c7922
310db4ae1c7dc6f3da03565b8338830428d293fa5511738e21280f18e02aca19
da00fdbb7fab3d7bcd750aa82ac9dbb4c8d04d8b39c7ab1fd902bee523d56639
d9775fff49ee094e32608ff1fa17214cb4314237516f550c4e1cc97ba059f05f
89fc51502d3de74f1354b1e9d104fc04f2498c58f8c38dbe575f0363f4d8e1f4
39d4984521a8088c0a0c9e4a3ffa8436ef123063344a2f260c36f551e9f2724d
bc209326df8a240397db8081318b04a4152aff023fe0f3e7e4dafc2296ca7601
162a2db401025a6ba181af6c372ca29bff172000422e7699e58ca019172834db
04ad5cb7b9aea4f38d890edb46116c21a719a676843829294bedadc1bec21d18
614ac476bac559fc8ad177e5e74988da7d12db94e91906abc71155fdc706b120
de8cbfe0366a0c2a1921aed25f0110cc7c800c04dfff985c1de27dc047bf715e
a530b2d65710a0a8053600174dc786c52035f1eb44a1a7148838066b7397496c
3c156e176d50b692efe949d853bb6d15838cf272da95cda8996e6e9a8f3f2b4d
Click here to view all samples of Akira in our PolySwarm portal.
INC
3d956b8ce0df339213d963758aeb2df709b420153e2b0e1c6d8f2d81cda37541
578482ee6a4fb4d6b5d841d2d13bd699bc7cd80b81f3e53f0d84ae0ed4fc9b68
05527d8deff756bcf9ef646d5787ae47373f8e8ba5cc32cb03884f1c3293312c
3c11e8e48a6278f1afa2e18cb3bf23df83c6f790c23fcbde9f5836300a890556
52f6eb848be2080010af1130eab2563026117582e1ebfcd80cfb810dd3283aec
a0ce5a8fafacd27d68037690b7ef925a899f48d4bfd2be7406156cc6d21998b3
4cbd6d8eddae612285f30a5d50c2be58ed3b69aeb3d49cb053fa3ab4b0b3b27b
2f1d3100c93ded6c819be1db2b96c7cb0e2af10c67f93a76199dd771c1493886
4c3cdf9e1473b4fc7991b8f464c4ece3fb3e18d5aade98e3161fd7f49374dc22
68dd5b02b1971d41d086138f2e96c422174a0d01865b1f5c3badd4f179212dc7
7d95893c88b3d386e230263cc4e347580618277d4f4d89f766872a67d0f470a6
b9c8133a5d9d1e8b380939879ce031d721924dde54f058c99b04a72f26ca24d7
3921352c1f63560a8cf84b70f8b5d79acf3613117cf0489fbc6e6a523f3cf60b
802135ea2fb813b5bafe46eabdf926da9a9c4b42a3c37abac6054598cd71e8e9
0c55643375cf7680a8af1e7076593130c07d3443e80b21314903c638c953b5ec
Click here to view all samples of INC in our PolySwarm portal.
DragonForce
2ff8910c374db6a1f4cfe6036e3f39a1b817347dc96a962ec1724da6c668e5a3
7f41c47e49a4ff4b9fce40c9526553f056b826694603f50338584823099a4be2
73881615e599a32b0bdfdcdb9b04c10691bc21871b3ea4b45c35bcee5ef272ba
886039a24ca39fbe335c2b41d0d5631fe4bfe5442ca9f7e2102216cec66cb1e3
a20622f08894d7f1ec2630b30362c43ecf37b4f30040269ac0c7756a414bcddd
54f70c0ca4474487ea36bb92e8528551c8438b04903dbb342dc1329f3a6ab3ff
ad12dd6874e3965af3efd52eb83d32236bc791cb25d78d694b1047e1f976c3be
0939a154a3a8d3b1ae818e648b98a7b52269a236e7651eddf4a91a13bd471d90
141308ebce1b1bd21bbeb67f9f340a28c95789f39ac7d037e01dc916ae94f39e
183c94a312e51d333184aed6dced1de976bb58cb848a85ae5f5bdcd8ac36ab5c
d25435b16e74797c2f315425be10048678f5afdb6d245cea0c8491cf9aa07d69
6a6009ff27491208381b1222c3ecbc938e5ec5e2e29230ed6626cf9aefba6d26
8916d1e67fee0934bc3066a251025314e2b37960bdf234884e3741baa41d6cf8
e31d9bdd3876e14a5cb006142e3f7ab2b7645927848558bf2493b7c5a66c8a2a
C33a19a2618e95604c6df3e087da37fcb7e3f6b6daf475186e3bff9e05a1576d
Click here to view all samples of DragonForce in our PolySwarm portal.
Qilin
a988ab7e259390e1978948790b949744a5dcb649f64c011c449402596cbdf8c3
15b1958e0cced33cd23d345a637a3babac34eaa21c15d8235944e204f32002c7
871d67b60c045860565da1372129ca55ee194929f0c20baa52a6d80dc2464959
4f8efbfe1f94dc7c6d5547c836e56ed56b1b3c33d324bd8619b8108c572b5ca6
17f3db621ccc9478040082ccec1c98fd94afd590aac0c1ee8a44242b5a28a30a
516927b55038c1702bc8a6a0262a39d5fe45f4b07527fdc42415533a9665264a
dfe1a8624e5bc48b3826477049e36fbff97060c091ed06455f220d15eb1df596
39d1ec81c8a143294ffa6c1d90b18b266b724bf966179ba89722ccd83b8c42fc
fd564d877225bde26e73e01acbdce68531bf243e27b69b32b1218f23ef22d798
e81e9a3a8baca74a5c73bb5d0904cd7ac145e330c4d4993bfd671f3396402416
3537c553e7adcb6731c775edb9f64b1e9a342e96ef1714bf1235f6ac1a150795
41870d512f107c019caf0dcf3b36f38667e5979c74d7f8d3f526758f18bffb38
db7d2cf9e276307fd8b2ee68ff9ac1d500d9aa7fd305e23ed0fe188a7b5b54b9
cd9cceeee24d80862dfbed92a5730cbeebe5c376b1e60d6214016f31d402a45f
87c818abe58388b4ad7180640ff08d8ac988ea74eb7f540367f756c0e7f0780a
Click here to view all samples of Qilin in our PolySwarm portal.
The Gentlemen
3246b81dbd45db45dcace0d41d3298413d69aa288f8dcebcc73c3c723705d092
32d73e45c141331b17bb545c36a3f56981c05f52b9ed812cd785399003f0f7c1
97b610cf950ae5435ec074c2b08680875cbcc4c5faba6192c74dd97040e41504
49a632b0b32acee321b1785d57806da87a0945c36cfa79077ba8e00c60f2405c
0dbaf161967bcc2876c81a50a4fa0b5dfe70af19966a0d2c4c65c129b76b6f71
b84bafff8eb0976f7e3a5fa701c5f07400d0b480d411d4b7504a979ce718e764
dc3b05561d95ec4ac3f051b9629731022bf8542872f35c710cb6906beac56a99
0ad207e3ba3532b4220f5ed19055c62ac1266531e5c79921cf72a12dc8157632
e5c638c326899823d3cdf589c87d5c4ae4bee21fb57d94b28a516423a37670a9
9fda830a72dbf89115be76ed69dae71be2a527dcdb55977370cc81df06053cf2
fdc2441b97e766187984d05ba365e7e0280396c8f0802631dd451e33406c2408
00804dcdbf4f6d408aa1338973fab26b92fbe346e872e1e57dd022ae924f4c3e
aab8319907bca4ebc53de4816a29090f9d492d97c03b17542a660f94c8fd7c97
e8d6cc6f281d94f2afcb7cb59825bf39a8c26d61d2d126569fc30609265c5d94
d0079b8784f66f256fd2e7ccce603bb4ef8363f8b0dc823f3ef972ac8919576d
Click here to view all samples of The Gentlemen in our PolySwarm portal.
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.