LIVE
LATEST THREAT: Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus THREAT ALERT ACTIVE
Intelligence DB / Campaign Alert INC Ransom

INC Ransom's Law Firm Campaign: 20 Victims in 48 Hours and What It Means for the Legal Sector

INC Ransom claimed 20 law firms in a 48-hour window in 2026 — a pace and sector concentration that analysts assess reflects either a coordinated campaign or a shared upstream compromise of a legal technology provider. INC has now claimed 830+ total victims. Here's what happened and what law firms face.

By Ransomware Tracker ·
INC Ransomransomwarelaw firmslegal sectorCitrixSimpleHelpFortinetdata exfiltrationcampaignlegal technology
Threat Level
9/10
Sectors Targeted
legal
professional-services
Ransomware Family
INC Ransom

INC Ransom claimed 20 law firms in approximately 48 hours in 2026 — a volume and sector concentration that analysts at Halcyon and others assess reflects either a coordinated campaign with a pre-shared victim list or a shared upstream compromise, most likely a legal technology managed service provider. The cluster is notable not just for its pace but for what law firm data represents as a ransomware target: privileged client communications, financial records, M&A documents under NDA, and litigation strategy files that create multiple independent leverage points for extortion.

INC Ransom: Current Status

INC Ransom has operated since mid-2023 and has accumulated 830+ claimed victims across its leak site. The group operates a double-extortion model with a consistently active leak site — exfiltrate, then encrypt, then threaten publication. The group has targeted healthcare, manufacturing, education, and government, but the legal sector campaign represents a significant concentration of a specific professional services vertical.

INC uses a RaaS-adjacent model without advertising openly for affiliates in the way that groups like LockBit or RansomHub do. Intrusion sets attributed to INC campaigns share tooling and infrastructure, suggesting a relatively centralised operation rather than a distributed affiliate model.

The Law Firm Campaign: What Happened

Volume and timing: 20 law firms claimed in approximately 48 hours. For context, a high-volume ransomware group might claim 10-20 victims across all sectors in a week. Twenty victims from a single sector in 48 hours is anomalous and suggests either pre-position access across multiple targets simultaneously or a single upstream entry point.

The MSP hypothesis: Legal technology providers — practice management platforms, document management systems, cloud hosting providers specialising in legal sector deployments — serve as IT operations for many small and mid-size law firms. A compromise of an MSP with access to multiple firm environments would explain both the volume and the sector concentration. INC has previously used MSP access to simultaneously encrypt multiple client environments; this pattern (documented in healthcare and manufacturing contexts) appears to have been applied to the legal sector.

Individual firm size profile: The claims include both small firms (under 50 attorneys) and mid-size regional firms. The breadth suggests the targeting wasn’t selective by firm prestige or practice area — it was opportunistic against a shared technology dependency.

Initial Access and TTPs

INC Ransom’s documented initial access vectors include:

  • Citrix NetScaler vulnerabilities: CVE-2023-3519 (remote code execution) has remained an INC entry point long after patching; many law firms run Citrix for remote access and have not patched legacy infrastructure
  • Fortinet VPN vulnerabilities: including credential stuffing against FortiGate endpoints and exploitation of known Fortinet CVEs
  • SimpleHelp RMM: SimpleHelp, a remote management tool popular with MSPs, has had multiple CVEs exploited by INC and other groups as a route to simultaneously reach MSP-managed clients

Post-access TTPs:

  • Lateral movement via RDP and WMI
  • Credential access via Mimikatz and LSASS dump
  • Data exfiltration via WinSCP, RClone, and MegaSync — all tools that blend with legitimate business use and often bypass DLP controls
  • Encryption via INC’s encryptor, which targets both local drives and accessible network shares

Why Law Firms Are High-Value Ransomware Targets

Law firms hold data that creates multiple independent extortion levers:

Client privilege and confidentiality: Attorney-client privileged communications represent data that clients may pay to suppress independently of whether the firm itself pays. A ransomware group with access to M&A deal communications has leverage over both the law firm and the corporate client.

M&A and deal documents: Pre-announcement M&A documents carry potential insider trading value and significant reputational risk for clients if published. The threat of leaking an impending acquisition before announcement creates pressure on clients — not just the breached firm — to facilitate payment.

Litigation strategy: Opposition counsel gaining access to litigation strategy files through a ransomware leak represents a separate harm distinct from any regulatory breach, creating additional client pressure.

Personal data for regulatory exposure: Law firms process significant volumes of client personal data, creating GDPR/UK GDPR breach notification obligations when exfiltrated. The ICO enforcement record includes law firm fines following ransomware incidents.

Law firms have historically underinvested in security relative to the sensitivity of the data they hold. Specific gaps that INC has exploited in the legal sector:

Legacy Citrix infrastructure: many firms continue to operate NetScaler appliances on versions vulnerable to CVEs from 2023 and earlier. The attack surface is persistent.

Minimal EDR coverage: small and mid-size law firms frequently run consumer-grade endpoint protection rather than EDR platforms with behavioral detection.

No SIEM or logging infrastructure: without centralized logging, lateral movement via RDP and WMI proceeds without generating actionable alerts.

Permissive file share access: document management systems at many firms grant broad network share access without need-to-know restrictions. Once inside, an attacker can reach all client files from any authenticated endpoint.

Immediate Actions for Law Firms

Patch or isolate Citrix and Fortinet perimeter devices — check versions against INC’s known exploitation list and treat unpatched devices as compromised until remediated.

Audit SimpleHelp and RMM tool installations — verify that SimpleHelp and any other RMM tools are current, that access requires MFA, and that the MSP providing the tool is not managing you alongside other law firm clients without network segregation.

Restrict exfiltration tools — RClone, WinSCP, and MegaSync should be blocked at the firewall or DNS layer unless specifically required for business operations. These tools appearing on an endpoint where they haven’t been installed by IT is an immediate high-confidence detection signal.

Review DMS (Document Management System) access controls — implement least-privilege access so that a compromised endpoint can only reach files relevant to the authenticated user’s matters, not the entire document store.

INC Ransom’s law firm campaign is a signal that the legal sector is now a named, targeted vertical — not incidental collateral in broad ransomware campaigns. The combination of high-value data, consistent technology dependencies, and historically underinvested security makes the legal sector one of the most attractive targets remaining for INC and the groups that will follow the same playbook.

// Related Intelligence
Group Profile

INC Ransom Group Profile: NHS Data Leaks, Healthcare Targeting, and the Pure Extortion Model

Campaign Alert

Cl0p's Oracle EBS Campaign: Mass Exploitation via CVE-2025-61882

Campaign Alert

Akira Ransomware: VMware ESXi Campaigns Targeting Healthcare and Manufacturing