Weil Gotshal reportedly pays up to $20 million after cyber extortion group steals client data

Weil, Gotshal & Manges LLP recently disclosed that a threat actor uploaded a limited number of client documents to an external cloud storage site without authorization. The firm said it immediately activated response protocols upon discovering the incident, engaged third-party cybersecurity professionals, and notified law enforcement. Forensic investigations determined that the attacker did not gain access to Weil’s internal network, and the incident did not disrupt firm operations. Ongoing monitoring has detected no further unauthorized activity.

The firm has contacted affected clients. "Our priority is, and always has been, our clients," a firm spokesperson said. "We appreciate the trust they place in us to safeguard their confidences. We have taken a number of steps in response to the incident consistent with our constant focus on protecting our clients’ information."

While Weil has not confirmed whether any payment was made, the firm reportedly paid between $18 million and $20 million to cyber extortion group Luna Moth, also known as Silent Ransom Group or Chatty Spider, within three days of receiving the demand. The group threatened to publish the stolen data to a public cloud storage site unless payment was received.

Unlike conventional ransomware attacks, in which hackers encrypt systems and demand payment to restore access, data extortion attacks center on the theft of sensitive files and the threat of their public disclosure. Weil’s network systems were not encrypted or otherwise disrupted in the incident.

The attack is part of a broader pattern of intrusions targeting the legal industry. The Federal Bureau of Investigation issued a private industry notification in May 2025 warning that Silent Ransom Group had been targeting U.S.-based law firms consistently since 2023, citing the highly sensitive nature of legal industry data as the primary motivation. A new industry warning issued this week noted that the group has refined its methods, with attackers increasingly impersonating internal information technology staff and, in some cases, physically attending offices to gain access to devices and steal data.

The Weil incident follows a separate attack on fellow U.S. firm Jones Day, which confirmed in April that hackers had accessed firm data. A $13 million demand connected to that attack went unpaid, and the attackers reportedly stole confidential files relating to 10 clients.