Average ransomware demands targeting legal sector organisations climbed from US$383,000 (approximately A$580,000) to US$611,000 (approximately A$930,000) between 2024 and 2025 – a 60% rise in a single year. Attack volumes in the sector rose 54% over the same period. Professional services ranked in the top three most-targeted industries globally in 2025 and has held a top-five position into 2026, according to QBE Insurance Group’s Cyber Threats: Legal and Professional Services Sector supplementary report, published May 2026.
That deterioration tracks a broader shift in Australia’s domestic threat environment. The ASD’s Australian Cyber Security Centre responded to over 1,200 cyber security incidents in FY2024-25 – an 11% increase from the prior year – with ransomware continuing to be the most disruptive cybercrime threat. The average self-reported cost of cybercrime for large businesses rose 219% to $202,700.
The Office of the Australian Information Commissioner (OAIC) recorded a parallel rise in breach notifications, with 1,113 data breaches reported in 2024 – a 25% increase from 2023 and the highest annual total since the Notifiable Data Breaches scheme commenced in 2018 – with legal, accounting, and management services among the five most-affected sectors. Privacy Commissioner Carly Kind noted in November 2025 that “even entities with the strongest defences may experience a data breach,” adding that cyber risk is increasingly prevalent and sophisticated.
Two Australian law firms – one in New South Wales, one in Adelaide – were publicly listed on the Lynx ransomware group’s leak site in April and August 2025 respectively, according to Ransomware.live data cited in the QBE report. Australia appears alongside the US, UK, Canada, Germany, Italy, India, and South Korea as one of the jurisdictions most affected in 2025.
The mechanics of access have evolved. An operation called GLOBAL GROUP, active across Australia, the UK, and the US since July 2025, acquired entry to one law firm by purchasing remote desktop protocol credentials from a criminal forum for US$1,000 (approximately A$1,520) – confirming that network access to professional services firms is now a traded commodity in criminal markets.
Two methods account for most high-impact incidents against law firms in 2025: manipulation of people and exploitation of unpatched software. Brett Chase, director of sales engineering for APJ at Cohesity, told Security Brief Australia that the pattern extends across sectors. “Identity is at the core of today's cyber threat landscape. Nine out of 10 cyberattacks now start with identity through compromised credentials or misused identities. In Australia, the rise of materially significant cyber incidents makes it clear that weak or inconsistent identity management practices remain a major but preventable root cause,” Chase said. On the technical side, the M-Trends 2026 Report recorded a 42% rise in zero-day vulnerability exploitation during 2025, cited in the QBE report, with VPNs, firewalls, file transfer platforms, and AI tools all targeted at scale.
One threat actor profile warrants particular attention from underwriters. Silent Ransom Group – also known as Luna Moth – targets law firms almost exclusively using callback phishing, guiding victims into installing remote access tools before exfiltrating data without deploying encryption. The method does not trigger a system lockdown, which raises a coverage question that remains live in the Australian market: whether standard cyber policy wordings – which often anchor business interruption triggers to encryption events or system failure – respond adequately to pure extortion-without-encryption incidents. Policy language varies across the market, with some wordings now including standalone data extortion clauses that do not require a system failure trigger. Brokers placing legal sector risks should confirm with markets how their policy definitions treat this scenario before it arises in a claim.
On May 30, 2025, the Australian government introduced a mandatory ransomware reporting regime for businesses with annual turnovers of $3 million or more. The regime requires reporting to the ASD within 72 hours of a ransomware or cyber extortion payment, with non-compliance carrying a civil penalty of up to $19,800. An education-first period ran through December 2025, with active compliance and enforcement commencing from January 2026.
For insurers and brokers, the practical consequence is that a ransomware payment by a qualifying law firm now triggers two concurrent obligations: the 72-hour notification to ASD under the Cyber Security Act and a potential notifiable data breach report to the OAIC under the Privacy Act. Cyber incident response plans and policy notification clauses written before May 2025 may not account for both timelines running in parallel. Reviewing that alignment – across both policy wordings and insured response procedures – is a necessary step for brokers with legal sector clients.
Australia’s cyber insurance market has remained in soft territory, with cyber premiums falling approximately 10% through 2025 according to EBM Insurance & Risk’s May 2026 market outlook, and financial and professional lines continuing to soften into the first half of 2026. Gallagher’s September 2025 Australian Cyber Insurance Market Update identified ransomware as the leading cyber threat in 2025, with claims rising 32.5% in 2024 and returning to levels last seen in 2021 and flagged that sectors with higher claims activity may face increased premiums or more restrictive terms in coming years.
For the legal sector, the convergence of a 60% rise in average ransom demands and a 54% rise in attack frequency – against a backdrop of unresolved extortion coverage questions and new dual-reporting obligations – represents a risk profile that current soft market pricing may not yet fully reflect.
