Throughout 2025 and into 2026 we have been hearing about hackers targeting personal injury law firms with ransomware.
Typically, one an attacker has gained access to a law firm’s data, it is encrypted and held hostage until a ransom is paid.
If your data is backed up, the attackers threaten to release client information onto the web as a data breach if their fee is not paid. Unfortunately, they do usually make good on their promises.
I predict 2026 will be a record year for data breaches at law firms, with a focus on personal injury firms.
Uptick in Attacks in 2025:
These attacks are nothing new, healthcare providers and many other business types have dealt with attacks for many years. I get a letter in the mail at least a few times each year telling me my information has been leaked, which has even led to my identity being stolen.
Recently, the barrier to entry was lowered thanks to Ransomware as a Service (RaaS). Basically, a RaaS kit provides unskilled criminals with sophisticated Ransomware. They subscribe to a RaaS service which gives them everything needed to carry out attacks, including technical support.
As a result, HIPAA Journal estimates Ransomware attacks increased by 58% in 2025.
How are Ransomware Attacks Happening?
There are a wide variety of ways an attacker can execute a program on a company computer but the vast majority of attacks arrive via email.
The law firms we have spoken with had an attorney, paralegal or case manager open an attachment or click on a link in a phishing email, either infecting the computer or by letting the attackers in to the network.
Personal Injury Firms Targeted in 2026:
We provide quality digital marketing for personal injury firms and have seen the attacks affect clients first hand and we’ve been hearing about them through the grape vine, so we know there is an uptick.
Unfortunately, PI attorneys are likely to become targets because:
- They have client data
- There are multiple employees available to target
- They may not be up to date on security
- Attackers may think they have money to spend on ransom
As a note, we have yet to see an attacker get paid by a PI firm.
How Can Law Firms Prevent Ransomware Attacks?
The right solution will depend on a wide variety of factors unique to your law firm, but here are some examples of possible solutions:
- Some law firms have IT staff or Managed Service Providers (MSPs), although they’re not necessarily well versed in preventing ransomware.
- Larger firms may have Managed Security Service Providers (MSSPs).
- Smaller firms who DIY might utilize Bitdefender GravityZone.
- If you have IT, they may use CrowdStrike Falcon.
Basically, you need MFA, Endpoint Detection, Offline Backups, Staff Training and whatever else your security professional recommends.
Recap:
Save yourself the stress, time and money and start locking things down now. Prevention is the best medicine.
If your identity hasn’t been stolen yet, just pretend it has been, and lock your information down now, too. Start here: https://www.identitytheft.gov/.
Once your security is straightened out, let’s straighten out your marketing.
