The starting point
The call came in the early hours: the case-file servers and the document management system were encrypted, a ransom note in every folder. The entry point, as forensics would later confirm, was a VPN with no multi-factor authentication, accessed with credentials stolen from one of the firm's external suppliers. Nothing exotic — the door was open and someone had the key.
The partners' anguish was not merely operational. A firm can redo work; what it cannot do is breach legal professional privilege. If the attackers had taken client information — companies in litigation, live transactions, courtroom strategy — the damage went beyond IT and struck at the ethical core of the profession. They needed to know, with evidence rather than assumptions, what had left the building and what had not.
How we approached it
- Containment within hours — isolating the affected network segments, revoking all remote access and potentially compromised credentials, and forensically preserving the evidence (disk images, memory, logs) before touching anything. Without intact evidence, everything that followed would have been guesswork.
- Forensic analysis — reconstructing the full attack chain: entry through the VPN without MFA, lateral movement, and a 9-day intrusion window before encryption. The dedicated exfiltration analysis — outbound traffic, artefacts from the attackers' tooling, file-access records — confirmed the partial theft of data from 3 specific case files and ruled out mass exfiltration.
- The decision not to pay, and restoration — with intact offline backups available, paying the ransom was ruled out. Restoration was partial in one practice area: 11 days of one team's work fell outside the last valid backup and had to be redone by hand. Painful, but bounded — and no money went to the attackers.
- Legal obligations and communication — notification to the AEPD, the Spanish data protection authority, within 72 hours; individual communication with the 3 affected clients, supported by the forensic report; and assistance with the firm's cyber insurer. Transparency backed by verified facts, not concealment, is what preserved trust.
- Hardened rebuild — MFA enforced on every access, the VPN replaced with ZTNA-based access, managed EDR across all endpoints, immutable backups verified on a schedule, and 24/7 monitoring after the incident. The firm did not return to its previous state: it returned to a better one.
Results
72 hours
to operating in degraded mode; 3 weeks to full recovery
€0
paid in ransom: restoration came from offline backups
3 of ~4,000
case files affected by exfiltration, confirmed by forensics
Not a single client terminated its relationship with the firm. The 3 affected clients each received an individual explanation, grounded in the forensic analysis, of exactly what had been compromised and what had been done about it. That conversation — difficult but honest — is what saved the relationships, and the AEPD closed the file without sanction, the timely notification and diligent response duly evidenced.
What made it work
- Without forensic analysis, the only option would have been to assume the worst and notify all ~4,000 clients. Narrowing exfiltration to 3 case files changed the incident entirely.
- MFA would have stopped the initial access. Credentials stolen from a third party should never be enough to walk into a law firm's network.
- The offline backup was the difference between a serious incident and the end of the firm: without it, the negotiating table would have belonged to the attacker.
Frequently asked questions
What should you do in the first hours after a ransomware attack?
Isolate the affected network segments, revoke remote access and any potentially compromised credentials, and preserve the evidence — disk images, memory, logs — before touching anything. Avoid switching machines off indiscriminately or negotiating with the attackers on your own: both destroy evidence and options. The sooner a specialist team is involved, the more tightly the incident can be contained.
Should you pay the ransom?
Our position is no. Paying does not guarantee data recovery or prevent publication, it funds the attacking group, and it marks the organisation as a payer for future attacks. With intact offline backups, restoration is almost always the better route: in this case the firm recovered its operations without paying anything at all.
How long does it take to recover from a ransomware attack?
It depends on the scope of the encryption and the state of the backups. In this case the firm was operating in degraded mode within 72 hours and returned to full normality in three weeks, including a hardened rebuild of its infrastructure. Without valid offline backups, both the timeline and the outcome would have looked very different.
What are the legal obligations after a ransomware attack?
Where personal data is compromised, the GDPR requires notifying the data protection authority — in Spain, the AEPD — within 72 hours of becoming aware of the breach, and informing the affected individuals where the risk to them is high. A forensic analysis that pins down exactly what was exfiltrated lets you comply with precision: here it meant informing just the 3 affected clients, and the regulator closed the file without sanction.
Related services
Dealing with an incident — or determined not to?
Every hour matters. Hard2bit responds with containment, forensics and support through the legal obligations — and if nothing has happened yet, we help make sure a stolen password is never enough to bring your firm to a halt.