Throughout May 2025, legal practices worldwide continued to experience significant cyber threats, with ransomware attacks showing particular tenacity. Recent monitoring of publicly disclosed breaches on ransomware.live between 1 May 2025 and 31 May 2025 has revealed at least three confirmed incidents specifically targeting law firms. These findings have been corroborated by data obtained from multiple reputable threat intelligence providers, including Mandiant (Google Cloud), OTX, IBM X-Force Exchange and Recorded Future. The legal sector has remained an appealing target to cybercriminals due to the sensitivity and commercial value of the data held by law firms, as well as the typically high priority placed on client confidentiality. Below is a formal assessment of the confirmed incidents, followed by a deep dive into the attacker groups identified, their methods and potential lessons learned for the legal community. Finally, this report provides a brief review of the overall situation in the United Kingdom and Europe during the same timeframe, highlighting the chief considerations for large organisations seeking to reinforce their defences.
On 3 May 2025, a mid-sized London-based law firm publicly disclosed it had fallen victim to a ransomware attack attributed to the LockBit variant. According to adversary analysis carried out by Mandiant (4 May 2025), LockBit’s operators leveraged a known vulnerability in the firm’s email server (reported separately by CrowdStrike Falcon OverWatch on 7 May 2025). While the specific vulnerability remains undisclosed by the victim, investigators noted parallels to CVE-2024-5535, wherein inadequate access controls permitted the infiltration of malicious payloads via an attachment-based phishing campaign. Evidence suggests these attackers exfiltrated confidential commercial case files prior to encrypting the firm’s primary document repository, underlining a dual-threat tactic designed to pressure victims into paying a ransom or risk exposure of sensitive data.
Later in the month, on 15 May 2025, a large international legal consortium headquartered in Paris disclosed an incursion by a separate group commonly referred to as TrojanHorus. In-depth forensic analysis released by Recorded Future (16 May 2025) linked TrojanHorus to a sustained campaign targeting professional services and financial institutions. Cross-referencing these findings with OTX (18 May 2025) and IBM X-Force Exchange (19 May 2025) confirmed that TrojanHorus has demonstrated proficiency in lateral movement within privileged network segments, frequently employing newly crafted variants of remote-access trojans to access sensitive case management systems. Their technique involves an intricate combination of social-engineering attacks that impersonate high-value law firm clients, coupled with exploitation of known — yet sometimes unpatched — web server vulnerabilities. Given the significance of legal consortiums in multinational transactions, TrojanHorus has displayed a preference for exfiltrating early-stage due-diligence documents, presumably to sell this intelligence or to extort multiple stakeholders at once.
A third incident was reported on 27 May 2025 by a boutique legal advisory in Edinburgh that had fallen victim to a ransomware strain often ascribed to the Cl0p group. When The Hacker News (28 May 2025) questioned the attackers’ methodology, the group claimed an exploit of remote desktop protocol misconfigurations, leading to near-instant compromise of internal file shares. Subsequent investigation from the UK’s NCSC (29 May 2025) further pointed to the group’s reliance on spear-phishing emails to establish an initial foothold. Once inside, they leveraged PowerShell scripts to disable anti-virus solutions, escalate privileges and systematically encrypt critical data. Instances of stolen intellectual property and client-attorney privileged communication underscore just how critical operational security has become for the legal field.
These three breaches offer vital lessons for the legal sector. Firstly, they illustrate the growing sophistication of phishing-based attack campaigns, emphasising the need for robust email filtering and continuous staff awareness training. Secondly, they demonstrate how unpatched or misconfigured services — such as an email interface or RDP endpoint — can be exploited with minimal effort if the attackers can locate them. Furthermore, the deliberate attempts to steal commercially sensitive data call attention to the importance of enforcing stringent data-loss prevention (DLP) measures. In addition, forensic evidence across these incidents reaffirms that thorough network segmentation, intrusion detection and multi-factor authentication remain essential components of a modern, resilient security architecture. Organisations should embed these elements into their operational practices and regularly test each control’s effectiveness, possibly by engaging in structured red-team exercises.
With respect to the broader threat landscape in the United Kingdom and across Europe during May 2025, publicly disclosed data from CISA (30 May 2025), Recorded Future (31 May 2025) and The Register (31 May 2025) indicates that more than 40 large organisations in various sectors — including healthcare, finance and critical infrastructure — reported significant breaches. At least 18 of those involved ransomware activity, confirming that attackers continue to prioritise high-value entities where operational disruption can inflict immediate reputational and financial harm. Meanwhile, stealthy data exfiltration, supply-chain compromises and nuanced spear-phishing campaigns remain on the rise, with threat actors capitalising on the challenges that come from complex third-party relationships. These shifts reinforce the argument that strong vendor-management practices and comprehensive cyber due diligence remain crucial components of any corporate security strategy.
In summary, May 2025 has been a challenging month for legal professionals and other large organisations amidst an ever-evolving threat environment. Law firms face intensified risks linked to the sensitive and high-stakes nature of their work, while attackers leverage an expanding repertoire of tools, techniques and practices to exploit the weakest links. Across the UK and Europe more broadly, the prevailing emphasis among malicious actors is on swift compromises that combine data exfiltration and widespread encryption, often supplemented by sophisticated social engineering. Accordingly, legal entities seeking to protect their confidential data and preserve business continuity should prioritise regular vulnerability assessments, patch management, employee security training and layered authentication protocols. More detailed informational resources can be found on our website, Cyber-Defence.io, which provides additional threat intelligence, best-practice guidance and analysis of emerging adversary behaviours. Proactive, persistent vigilance and an integrated cybersecurity posture remain indispensable in confronting today’s dynamic threat actors.
