Ransomware Recovery for a 4-Person Arlington Law Office
A four-attorney Arlington firm called on a Friday afternoon — every client file encrypted, ransom demand on every monitor. Restored from backup, hardened the environment, back to billable work Monday morning.
The situation
A four-person law office near Clarendon called at 4:12 PM on a Friday. An attorney had opened what looked like a shared brief from a co-counsel — actually a phishing payload that dropped Conti-style ransomware. Within 90 minutes it had encrypted the file server, the shared OneDrive cache on three workstations, and the local QuickBooks data. Ransom note: 0.8 BTC.
What I did
Disconnected the file server and infected endpoints. Confirmed the ransomware was not actively spreading on the network. Notified the firm's cyber insurance carrier per the policy requirements.
The firm had a NAS doing daily snapshots and an offsite cloud backup. Confirmed the cloud backups were untouched (the ransomware reached the SMB-mounted NAS but not the cloud target). Pulled a 24-hour-old snapshot to a clean workstation for verification.
Wiped and reinstalled Windows on all 4 affected machines. Restored user profiles from the cloud backup with a clean OneDrive sync. Restored the file server from the verified snapshot. QuickBooks restored from its own scheduled backup.
Enforced MFA across Microsoft 365 with conditional access blocking legacy auth. Replaced the NAS-as-backup with an immutable cloud-only backup target. Deployed managed EDR to all endpoints. Wrote a 1-page incident playbook.
All four attorneys returned to encrypted-free workstations Monday at 9 AM. Verified each could open recent client files. Walked the partners through the new MFA process and what to expect from the EDR alerts.
The result
Zero data lost beyond ~3 hours of work on one workstation. No ransom paid. Total incident time-to-recovery: 64 hours. Insurance covered the remediation and the carrier accepted the post-incident report on the first submission. The firm is now on a managed plan ($349/mo) and has had zero security events in the 8 months since.
At a glance
Names, identifying details, and timelines have been anonymized at the client's request. Anyone in a similar situation is welcome to call for a free 15-minute consult — I'll tell you honestly whether I can help.