Law firm recovers from ransomware attack in under 24 hours
Systems recovered within 24 hours with zero data loss and zero ransom paid.
On a Friday evening, a 35-person law firm discovered that a ransomware attack had encrypted files across their server, workstations, and network drives. The attackers were demanding a cryptocurrency ransom and threatening to publish stolen client data.
The firm's previous IT provider was unresponsive. Active case files, client communications, legal documents, and financial records were all at risk. With SRA compliance obligations and client confidentiality at stake, they needed help immediately.
Industry
Company size
Engagement
The challenge
What we were dealing with when we arrived.
Active ransomware attack
Files across the server, workstations, and network drives were encrypted. The attackers were demanding payment in cryptocurrency and had set a deadline for data publication.
Previous provider unresponsive
The firm's existing IT provider could not be reached on a Friday evening. With every hour increasing the risk of data exfiltration, the firm needed immediate expert help.
Critical data at risk
Active case files, client communications, legal documents, and financial records were all encrypted. The firm handles sensitive client matters where confidentiality is paramount.
Regulatory obligations
As an SRA-regulated firm, they had obligations around data protection and client confidentiality. A data breach would require notification to both the regulator and affected clients.
“When we realised what had happened, I thought we were finished. Client data, case files, everything encrypted. Bigfoot had us back up and running before the weekend was over. They have now made sure it can never happen again.”
Senior Partner
Our response
How we contained, assessed, recovered, and verified in under 24 hours.
Hour 0 to 2: Containment
We arrived on site within 90 minutes. Immediately isolated all affected systems from the network to prevent further spread. Identified the ransomware strain and assessed which systems were compromised and which remained clean.
Hour 2 to 6: Assessment
Traced the entry point to a phishing email clicked by an employee earlier that day. Assessed the full extent of the encryption and discovered that cloud-hosted backups had not been compromised by the attack.
Hour 6 to 18: Recovery
Rebuilt the file server from a clean backup taken four hours before the attack began. Restored workstations, rebuilt email access, and recovered the case management system. All data was verified against the backup for integrity.
Hour 18 to 24: Verification
Confirmed data integrity across all recovered systems. Verified that no client data had been exfiltrated. Brought the firm fully operational with all staff able to work normally by Saturday evening.
Hours to full recovery
Data loss
Ransom paid
Client data exposed
Preventing recurrence
The controls we put in place to make sure this never happens again.
Multi-factor authentication
Enabled for all email and remote access. Even if credentials are compromised through phishing, an attacker cannot access accounts without the second factor.
Endpoint detection and response
Deployed across all devices to detect and automatically contain threats before they can spread. Would have detected and blocked the ransomware before it encrypted any files.
Advanced email security
Implemented advanced email filtering that would have caught the initial phishing email before it reached the employee's inbox. Includes link scanning and attachment sandboxing.
Immutable backups
Configured backups that cannot be deleted or encrypted by an attacker, even if they gain admin access. Ensures recovery is always possible regardless of the attack type.
Security awareness training
Regular phishing simulation and security training for all staff. Building a human firewall so employees can recognise and report suspicious emails before clicking.
24/7 monitoring
Continuous security monitoring across all systems. Threats are detected and responded to around the clock, not just during business hours when IT staff are available.
Want results like these?
Every business starts somewhere. Whether you need incident response, want to strengthen your security, or simply need confidence that you are properly protected, we can help.