Intelligence from multiple sources indicates a sustained pattern of RansomHub-affiliated actors timing ransomware deployments against UK and European law firms to coincide with active transaction windows — specifically the weeks immediately preceding exchange or completion on significant M&A deals.
The pattern is not coincidental. Law firms present a structurally exploitable leverage dynamic: they hold sensitive client data under professional privilege, operate under strict regulatory obligations from the Solicitors Regulation Authority and the ICO, and — when targeted during a live transaction — face the additional pressure that disclosure or delay could affect the deal itself, the client relationship, and the firm’s reputation for discretion.
The Targeting Logic
Ransomware actors targeting any victim want the same thing: maximum willingness to pay, as quickly as possible. Against law firms, the timing of a transaction mandate substantially increases both.
A firm managing a significant acquisition or disposal has a client whose deal may be time-sensitive and whose counterparty does not know about the incident. Disclosing a ransomware event to a client mid-transaction — and potentially to the counterparty and their lawyers — is commercially catastrophic. Regulators must be notified within 72 hours if personal data is affected. The cost of paying the ransom can look rational relative to the cost of disclosure during an active deal.
RansomHub affiliates have demonstrated an understanding of this dynamic in their targeting selection. In incidents reviewed, the timing of encryption events has coincided closely with deal calendars — in at least two cases, appearing to have been timed to a known transaction timeline obtained through prior reconnaissance or data theft.
What Is Typically Accessed
Law firm breaches at the more sophisticated end are typically not opportunistic encryption-first incidents. The actors are conducting reconnaissance prior to deployment:
Transaction data. Draft agreements, due diligence reports, board packs, and valuation analyses represent both leverage material and sellable intelligence. Pre-close M&A information has a short but extremely high-value window: an actor who knows the terms of an unannounced acquisition before it closes has insider-equivalent market intelligence.
Client personal data. Even for firms that primarily advise corporate clients, matters generate significant volumes of personal data — employment records, individual shareholder information, director details — triggering data protection notification obligations.
Privileged communications. Advice files and correspondence between solicitor and client are subject to legal professional privilege. Their exposure in a data breach creates a separate legal dimension that can extend into post-incident litigation.
Counterparty intelligence. In contested matters or litigation, the opposing party’s legal strategy and settlement thinking is visible in the file. Actors with links to parties in live proceedings have an obvious interest in this material beyond any ransom value.
Affected Firm Profiles
The incidents reviewed are not all large Magic Circle or silver circle firms. Mid-market firms — £20–200m revenue, regional UK offices, transactional practice areas — appear in the majority of confirmed cases. This is consistent with two factors: larger firms have invested more heavily in security operations, and affiliates appear to prioritise achievable targets with sufficient leverage.
Corporate, real estate, and private client practices handling high-value transactions are the highest-frequency targets. Litigation practices handling significant commercial disputes are also in scope, for the counterparty intelligence reason above.
SRA and ICO Obligations
Law firms face a dual regulatory exposure following a breach that organisations in many other sectors do not:
SRA notification. The SRA requires firms to report significant cyber incidents. Non-compliance or inadequate response can affect practising certificates and AML compliance status.
ICO notification. If personal data is affected — which it almost always is — the ICO must be notified within 72 hours of the firm becoming aware of a breach meeting the threshold. The 72-hour clock starts when a fee earner knows, not when the IT team confirms the scope.
Firms that delay notification in the hope of containing an incident without disclosure are taking a regulatory risk that compounds the original security incident.
Recommended Actions
- Segment transaction data. Matter files for live M&A transactions should sit in access-controlled environments separated from general firm infrastructure. Restrict access to the working team and log all access to deal documents.
- Maintain offline or immutable backups of matter data. Ransomware actors specifically target and delete backup infrastructure. Verify that critical transaction data can be restored from a source that encryption cannot reach.
- Run tabletop exercises for mid-deal scenarios. A ransomware incident during an active deal creates a different decision tree than one during a quiet period. Leadership, the responsible partner, and compliance need to know their response sequence in advance.
- Review third-party access. Law firms use a large ecosystem of external parties — counsel, experts, due diligence providers, data rooms. Each is a potential entry point. Verify that access to sensitive matter data via third parties is appropriately credentialed and logged.
- Pre-position your incident response provider. Having a retainer with a specialist IR firm before an incident is not an overhead — it is the difference between a 4-hour response and a 48-hour one.