The Anubis ransomware group claimed a cyberattack on Schlam Stone & Dolan LLP, a New York-based litigation firm, on March 27, 2026. Anubis is threatening to expose confidential data unless the firm enters negotiations — and the group's own statement underscores the strategic value of the target: "Data breach at a law firm representing clients ranging from government institutions to Fortune 500 companies." Schlam Stone & Dolan has not issued a public statement. The attack is not yet confirmed by the firm, but Anubis's leak site claim, combined with the specificity of the client characterization, meets the threshold for credible incident reporting.

What Happened

Anubis posted Schlam Stone & Dolan LLP to its dark web leak site on March 27, 2026, claiming a successful intrusion and threatening data exposure if the firm does not enter ransom negotiations. The group has not yet published data samples or set a specific public deadline at time of writing — the current posture is a negotiation demand, not an immediate data dump threat.

Schlam Stone & Dolan is a New York litigation firm with a practice spanning commercial disputes, real estate litigation, and high-stakes civil matters. The firm's client roster — described by Anubis as including government institutions and Fortune 500 companies — is the strategic core of why this attack matters. A law firm's internal systems contain everything its clients share under attorney-client privilege: litigation strategy, settlement positions, financial exposure analyses, contract disputes, and internal corporate investigations.

Schlam Stone & Dolan has not confirmed the breach or issued a notification at time of writing. The firm's silence is typical in the early phase of law firm ransomware incidents where legal privilege considerations and client notification obligations create complex disclosure dynamics.

What Was Taken

The specific data exfiltrated has not been confirmed or enumerated by Anubis at this stage. Based on Schlam Stone & Dolan's litigation practice profile and Anubis's characterization of the victim, the data at risk includes:

The attorney-client privilege dimension means that data exposure here doesn't just harm Schlam Stone & Dolan — it directly harms every client whose confidential matter is in the firm's systems.

Why It Matters

Law firms are among the most dangerous ransomware targets from a third-party impact perspective. They are repositories of confidential information for dozens or hundreds of clients simultaneously, held under privilege rather than regulatory frameworks like HIPAA or GLBA. This creates a critical gap: law firms are generally not subject to the same mandatory breach notification regimes as healthcare or financial organizations, yet they hold data of equivalent or greater sensitivity.

Anubis's explicit identification of government and Fortune 500 clients is not incidental — it is a deliberate pressure tactic. The group is signaling that the ransom leverage extends beyond Schlam Stone & Dolan to every client whose confidential matter could be exposed. This multiplies negotiation pressure: the firm faces not only its own reputational and operational risk but potential liability to clients whose privileged information is exposed.

Anubis is an emerging ransomware group that has accelerated its targeting of professional services — law firms, accounting firms, and consulting practices — in 2025 and 2026. The sector is attractive for several structural reasons: high-value data, clients with deep pockets who create ransom payment pressure, and limited internal security resources compared to enterprise technology companies.

The broader implication for any organization that shares sensitive information with outside counsel: your litigation firm's security posture is your security posture. Data you share for legal matters does not become less sensitive because it left your environment.

The Attack Technique

Anubis's documented TTPs and the law firm targeting profile point to several probable attack vectors:

  1. Phishing targeting attorneys and legal staff — Law firm employees receive voluminous external email from clients, opposing counsel, courts, and regulators. Credential-harvesting phishing disguised as court filings, client communications, or legal research tools is highly effective against legal professionals who must open attachments as a core workflow function.

  2. Credential stuffing or infostealer-sourced credentials — Attorney email addresses and portal credentials frequently appear in breach datasets from third-party services (court filing portals, legal research platforms, bar association systems). Anubis and similar groups routinely use infostealer logs to obtain valid credentials before any direct attack.

  3. VPN and remote access exploitation — Law firms accelerated remote work adoption post-2020 and many maintain VPN or remote desktop access for attorney home offices. Unpatched remote access infrastructure is a primary Anubis entry vector across victim organizations.

  4. Lateral movement to document management systems — Once inside the network, the target is the document management system (DMS) — iManage, NetDocuments, or similar platforms that hold every client file, email thread, and work product document. Access to the DMS is effectively access to everything.

The specific initial access vector for the Schlam Stone & Dolan intrusion has not been confirmed.

What Organizations Should Do

  1. Law firms must treat their document management system as crown-jewel infrastructure — The DMS is the highest-value target in any law firm network. Access to the DMS should require MFA, be logged comprehensively, and alert on bulk downloads or unusual access patterns. Role-based access controls should limit attorney access to matters they are actively working on, not the entire firm's document corpus.

  2. Implement privileged email security controls — Attorney email is the primary exfiltration path for law firm data. Deploy email DLP policies that flag bulk forwarding, external transfer of large attachments, and communication with newly registered domains. Legal workflows requiring external email are common — that's exactly why sophisticated attackers target it.

  3. Corporate legal departments must audit their outside counsel's security posture — Any company sharing confidential litigation materials, M&A documents, or regulatory investigations with outside counsel should be asking: Does this firm have cyber incident response capability? What is their breach notification policy? Do they carry cyber liability insurance that covers client data? These questions should be standard in outside counsel engagement letters.

  4. Establish a law firm-specific incident response playbook — Law firm IR is uniquely complex: attorney-client privilege applies to the breach investigation itself, state bar notification obligations vary, and client notification may require court approval in some matters. Pre-establish relationships with IR counsel, notify malpractice carriers immediately upon discovery, and do not communicate about the breach via potentially compromised internal email systems.

  5. Rotate credentials and audit access for all clients whose data may be at risk — If your organization's data is in a breached law firm's systems, treat this as a potential data exposure event on your own risk register. Inventory what you've shared with the firm, assess whether that data creates notification obligations under applicable law, and monitor for the data appearing in public dumps if Anubis follows through on its threat.

  6. Deploy dark web monitoring for attorney credentials — Law firm attorney credentials and email addresses are persistently targeted by infostealer operators and appear regularly in credential breach markets. A dark web monitoring program that alerts on attorney email addresses appearing in stealer logs provides weeks of lead time before those credentials are weaponized in an intrusion.

Sources