According to Proton’s recent survey of 500 legal professionals, 20% of U.S. law firms experienced a cyberattack in the past 12 months, and 39% of those targeted suffered data loss or exposure—equating to roughly 8% of all firms surveyed. Despite the severity of these incidents, 42% of respondents expressed uncertainty about their ability to recover post-incident, and 45% lack clarity on appropriate response protocols.
Knowledge Gaps and Regulatory Obligations
Proton’s study also revealed that less than 35% of legal professionals are familiar with their breach-response obligations under standards such as ABA Model Rule 1.6 and Formal Opinion 483, while 70% recognize that employee security training is the most effective method for risk reduction.
Understanding Lawyers’ Ethical Obligations After a Breach
Under ABA Model Rule 1.6, attorneys must not reveal “information relating to the representation of a client,” and must “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information”. In Formal Opinion 483, the ABA’s Ethics Committee emphasizes that lawyers and firms must:
- Plan ahead by developing and regularly updating a written incident-response plan, including clear roles, communication protocols, and forensic-ready evidence preservation.
- Implement technical safeguards such as strong encryption, access-control policies, and multi-factor authentication to minimize unauthorized access.
- Respond promptly by notifying affected clients, regulatory bodies, and—in some jurisdictions—even opposing counsel, while coordinating with legal counsel to manage privilege and malpractice risks.
- Document and review the incident to improve future readiness and demonstrate compliance with ethical duties.
Yet, Proton’s survey found that fewer than 35% of legal professionals feel confident about these post-breach obligations, leaving 65% potentially exposed to disciplinary action, malpractice suits, and fines.
Empowering Staff Through Targeted Security Training
Recognizing these gaps, 70% of firms identify employee security training as their single most effective risk-reduction tactic. This aligns with industry data showing that employees contribute to over 80% of successful attacks through phishing, misconfigurations, or mishandling of data. Moreover, firms that run regular phishing simulations and follow-up training see up to a 30% reduction in click-through rates on malicious emails.
Best practices for an impactful program include:
- Role-based modules that focus on the specific risks faced by partners, paralegals, and administrative staff.
- Interactive simulations (e.g., fake phishing campaigns) coupled with immediate coaching when mistakes occur.
- Ongoing reinforcement via monthly micro-learning—short videos or quizzes—to keep security top-of-mind.
- Metrics and reporting tied back to your incident-response plan, demonstrating measurable improvements over time.
At eSudo Technology Solutions, we deliver comprehensive Employee Training & Phishing Simulations as part of our managed IT services. Our approach combines legal-sector expertise with adult-learning principles to ensure your team not only understands their ethical duties under Rule 1.6 and Formal Opinion 483 but can also act decisively when a real incident occurs.
Industry Costs and Client Expectations
Data from Embroker shows that the average cost of a data breach for law firms in 2024 was $5.08 million, a jump of more than 10% year-over-year. Additionally, over one-third of legal clients (37%) reported they’d pay a premium for counsel with stronger cybersecurity measures—underscoring security as a competitive differentiator.
Emerging Threats: The Luna Moth Vishing Campaign
In a May 23, 2025 advisory (PIN 20250523-001), the FBI warned of the Silent Ransom Group (aka Luna Moth/UNC3753) targeting U.S. law firms through callback phishing emails and IT-themed social-engineering calls. Once inside, attackers exfiltrate data via legitimate tools such as WinSCP or Rclone, often bypassing traditional antivirus defences.
Evolving Tactics: Callback Phishing and IT-Themed Vishing
The FBI’s Private Industry Notification 20250523-001 illustrates how the Silent Ransom Group (SRG)—also operating as Luna Moth, Chatty Spider, and UNC3753—has weaponized a two-pronged social-engineering campaign against U.S. law firms since Spring 2023. SRG begins with callback phishing emails that mimic low-value subscription charges (e.g., “$1.99 monthly fee”), tricking recipients into dialing a “customer service” number. Once connected, victims are instructed to download remote-access software—framed as a cancellation or urgent update—which grants the attacker initial foothold in the network.
High-Value Vishing and Remote Session Hijacking
By March 2025, SRG shifted to direct vishing calls, impersonating internal IT support. Employees are contacted—often after hours—under the pretext of critical maintenance or security fixes. They’re directed to join remote sessions via legitimate platforms such as Zoho Assist, AnyDesk, Splashtop, Syncro, or Atera. This approach leverages urgency and authority to bypass suspicion, allowing SRG to establish persistent access with minimal privilege escalation before moving laterally within firm environments.
“Living off the Land” Exfiltration Using WinSCP and Rclone
Once inside, SRG evades signature-based detection by abusing legitimate file-transfer utilities. On systems without administrative rights, they deploy a portable copy of WinSCP to siphon documents over SFTP to attacker-controlled servers. Where higher privileges exist, they utilize Rclone—often renamed or hidden—to synchronize large volumes of data to cloud storage destinations under their control. These “living off the land” techniques leave scant forensic traces, complicating standard antivirus and endpoint detection measures.
Key Indicators and FBI-Recommended Mitigations
Because SRG’s tactics produce few host-based artifacts, network defenders should treat the following anomalies as potential signs of compromise:
- Unexpected installations or executions of remote-access software (Zoho Assist, Syncro, AnyDesk, Splashtop, Atera)
- Outbound SFTP or HTTPS connections initiated by WinSCP or Rclone to unknown IPs
- Subscription-style phishing emails instructing recipients to call a number for cancellation
- Unsolicited phone calls claiming to be from the firm’s IT department.
To counter SRG’s evolving threat, the FBI advises law firms to:
- Enforce multi-factor authentication and robust password policies for all remote-access and file-sharing services.
- Implement application allowlisting to block unauthorized RMM and file-transfer utilities.
- Segment networks and apply least-privilege principles to limit attackers’ lateral movement.
- Conduct regular vishing/phishing simulations and ongoing security awareness training for all staff.
- Establish and circulate clear IT-verification procedures, using official directories and callback protocols to authenticate any support-related calls.
How eSudo Technology Solutions Can Help
At eSudo Technology Solutions, we specialize in managed IT and cybersecurity services tailored for law firms. Our Small Law Firm IT Support offering include:
- 24/7 Managed Detection & Response (MDR) with rapid incident containment
- Incident Response Planning and tabletop exercises designed around your firm’s workflows
- Regulatory Compliance Guidance for ABA Rule 1.6, GDPR, HIPAA, and state bar requirements
- Employee Training & Phishing Simulations to turn your staff into a strong first line of defense
- Cloud & Network Security with end-to-end encryption and least-privilege access controls
To explore our full suite of managed IT services or schedule a firm-wide security assessment, visit our website today.