RANSOMRESTORE
Back

How a Regional Law Firm Recovered 4,200 Files in 36 Hours Without Paying Ransom

Saturday, 9:47 AM. A senior partner's assistant reached us through WhatsApp. 'I don't know how to say this, but we got ransomware. The desktop is locked. The server is locked. Everything is locked.' This is usually how it starts. Not on a weekday morning when everyone's alert. On a weekend. On a holiday. When the person who knows where the backups are is unreachable.

5 min read

What We Found

The firm had 4,200 files encrypted — active litigation materials, client correspondence, precedent databases, contracts going back years.

The ransom note demanded 0.8 Bitcoin. Roughly USD 52,000 at the time.

Three things made this more urgent than most cases:

Court deadline in 5 days. One of the encrypted folders contained evidence materials for a commercial dispute hearing. Missing that deadline meant potential default judgment.

Confidentiality obligations. Attorney-client privilege doesn't stop being relevant just because the files are encrypted. A data breach on top of ransomware adds a regulatory problem to an operational crisis.

No one knew the backup status. Their IT vendor was unreachable for the weekend.

How the Attack Happened

The initial access came through a phishing email — a spoofed message appearing to be from a regional court, referencing a real case number the firm had on file. The attachment was labeled "Supplementary_Evidence.rar."

One partner clicked it on a Friday afternoon.

The .rar contained a small downloader — roughly 37KB — which connected to an attacker-controlled server, downloaded the Locky payload, and executed it. Within minutes, every document on the partner's workstation was encrypted. The ransomware then spread to the firm's file server through mapped network drives.

By Saturday morning, the encryption was complete.

The Recovery

Saturday 10:30 AM: We started remote assessment. Identified the strain as Locky — military-grade AES+RSA encryption. Without the private key, direct decryption is not viable. Free decryptors from NoMoreRansom didn't cover this build. We mapped the attack vector and the compromised systems.

Saturday 12:30 PM: A critical breakthrough. During deep forensic scanning of the server's lower-level structures, our team discovered that the attacker's automated script had attempted to destroy all Windows Shadow Copies — but the deletion commands had failed to execute completely. An old permission conflict on the server had blocked the shadow copy cleanup. This was not a weakness in the encryption. It was the attacker's execution failure — and it was our opening.

Saturday afternoon: We immediately froze all disk write operations and deployed specialized data carving tools, bypassing the damaged file system to extract data directly from the surviving shadow copy snapshots and memory fragments. We prioritized the evidence materials directory for the upcoming hearing.

Sunday morning: Initial results — 91% of files recovered through forensic extraction. The evidence folder for the court deadline was among the first recovered.

Sunday midnight: 98% of files restored and verified. The partner spent Monday reviewing the recovered materials.

The court deadline was met.

The Numbers
Files encrypted 4,200
Files recovered 98%
Recovery time 36 hours
Court deadline Met
Recovery cost Fraction of the ransom demand

What This Firm Did Right (and What They Got Lucky On)

What they did right:

  • They called us quickly instead of trying to handle it internally over the weekend
  • They didn't restart the computer when they first saw the message
  • They had a real server — not just local desktop storage

What they got lucky on:

  • The attack happened Friday evening, not mid-week — giving us the full weekend
  • The attacker's shadow copy deletion script failed due to a server permission conflict — without this, recovery would have been significantly harder
  • Their physical backup drive (a USB someone forgot to plug in) survived untouched because it wasn't connected

The truth about their backup: That USB backup they "forgot" to connect? It was 3 months old. If we hadn't been able to extract the critical court files through forensic data carving, relying on that backup alone would still have meant missing the court deadline. The critical files from the past 3 months — including the evidence materials for the hearing — only existed on the encrypted server. Old backup + no forensic recovery = lost case.

The recovery path would have been completely different — and potentially much slower — if this had hit a practice running on local storage only.

Why They Didn't Pay the Ransom

This is important to understand: they didn't refuse to pay out of principle. They refused because we gave them the option not to.

Because we successfully reconstructed the critical evidence files needed for the 5-day court deadline, the firm regained their leverage. They no longer had a gun to their head. The files that mattered most — the ones with real deadlines and real consequences — were back in their hands. The remaining non-critical files could be rebuilt from their older backup.

That's the difference between "we recovered your data" and "we gave you back control of your business." When the pressure is off, you can make rational decisions. When the pressure is on, you pay — and hope.

What They Fixed After

Three changes, none expensive:

  1. Email attachment filtering — flagged .rar and .js files from external senders. The phishing email that got through had a .rar attachment, which most modern filters catch.

  2. Backup system replaced — their previous "backup" was a USB drive someone had to remember to plug in. They moved to an automated cloud backup with versioning.

  3. Weekend emergency contacts — we gave them a direct number. They didn't need to figure out who to call while in crisis mode.

What Would Have Happened If They Waited

The most common mistake we see with law firms: waiting to see if "it resolves itself" before calling anyone.

Ransomware doesn't resolve itself. Every hour of delay is:

  • More encryption complete (if the initial infection is still active)
  • More systems potentially compromised (spreading through the network)
  • More data loss if the backups are connected and sync during the attack

The firm called within 3 hours of discovery. That's fast. Most firms we work with take 18-24 hours, usually because they're trying their IT vendor first.

For the full emergency checklist, see our ransomware emergency: 5 steps to take right now.

Dealing with encrypted files right now?

Tell us your situation for a free, no-commitment assessment. Every ransomware incident is unique. Our approach combines forensic data carving, shadow copy reconstruction, and deep variant analysis to exhaust every technical avenue for recovery. We help you understand your real options, minimize data loss, and regain control of your business.

In most emergency cases, we respond within 3 hours.

RANSOMRESTORE

Remote ransomware recovery, digital forensics, and incident response.

Services

  • Emergency Breach Response
  • Ransomware Response & Recovery
  • Penetration Testing

Emergency Contact

Terms of Service|Privacy Policy
© 2026 Lyncore Intelligent Technology Limited (Operating as Ransomrestore). All rights reserved.