RANSOMWARE RECOVERY / CASE STUDY

Their Network Went Down Friday. It Was Back Monday.

When ransomware locked an Arkansas law firm out of its entire network, they did not pay the ransom, and they did not lose a single file. Here is exactly how that weekend went, and what made the difference.

0 files lost
1 business day of downtime
$0 ransom paid
Schedule Your Free Security Review

The Risk Was Already on the Table

Every quarter, we sit down with the businesses we support and walk through what we see. For this client, an Arkansas law firm, two items came up more than once: turn on multi-factor authentication for remote VPN access, and retire an aging Windows Server 2012 R2 box that was past its supported life.

Nothing had gone wrong yet, and the firm had a business to run. Putting off a server replacement and a login change is a reasonable call when nothing is on fire. It is the call most businesses make.

The problem with waiting is that attackers do not wait with you.

How the Weekend Actually Went

Friday, morning.

Attackers get in through the VPN, the exact access point that had no multi-factor authentication protecting it. From there they reach the old 2012 server and use it to move across the network.

Friday, midday.

The network is locked. Files are encrypted. The firm is down.

Friday, midday.

Our monitoring catches it. We are onsite fast, and we confirm what we are dealing with: active ransomware, with a demand between $30,000 and $50,000 to unlock the files.

Friday night through Sunday.

We work the environment through the weekend. Clean systems, verified backups, and a recovery plan already in place mean we never have to consider the ransom.

Monday, morning.

The firm opens for business. Every file is accounted for.

What That Weekend Did Not Cost

0 files lost

Full recovery from verified backups. Nothing paid to get data back.

$0 ransom

On a demand of $30,000 to $50,000. The firm never sent a dollar.

1 business day

Down Friday, open Monday, against a 24-day industry average.

Beyond the ransom itself, the firm avoided the part most businesses never see coming: the average ransomware recovery costs $1.53 million once you count downtime, lost work, and cleanup, separate from any ransom paid. None of that landed here.

You do not have to wait for a Friday like this one to find out where you stand.

Schedule Your Free Security Review

This Weekend Was the Exception, Not the Rule

Most ransomware stories do not end on Monday morning. Here is what the data says happens to everyone else.

This case Industry average
Downtime 1 business day 24 days (Coveware)
Ransom paid $0 Demand of $30K to $50K
Data lost None Full or partial loss is common
Recovery cost Avoided $1.53M average (Sophos, 2025)
63% of ransomware victims had no MFA in place (Sophos Active Adversary Report, 2025)
20% of network compromises start through VPN access (Sophos MDR data)
32% of attacks exploit unpatched or outdated software (Sophos State of Ransomware, 2025)
58% rise in global ransomware attacks in 2025 (HIPAA Journal)

Three Things Made the Difference

Tested backups.

Backups only help if they actually restore. Ours are verified on a schedule, so when we needed them, they worked. That alone took the ransom off the table.

Active monitoring.

We caught the attack in progress, not days later from a panicked phone call. Fast detection is what turned a catastrophe into a weekend.

A recovery plan.

We were not improvising. The steps to isolate, clean, and restore were already written down and ready to run.

The Gap Was Not Technical

The two fixes that would have stopped this attack outright, MFA on the VPN and retiring the old server, were already on the table. They were recommended, in writing, before anything happened. The gap was not knowing what to do. It was the time between knowing and doing.

That gap is normal, and it is where almost every attack lives. The most common reasons good businesses put off the fix that would have saved them:

  • It has not caused a problem yet.
  • The budget conversation can wait until next quarter.
  • The old system still technically works.
  • There is always something more urgent this week.

After the attack, MFA was applied to VPN access and the old server was retired for good. The fixes took days. The attack took a weekend and could have taken the firm.

Do Not Wait for the 4 AM Call

In 30 minutes, you will know exactly where your business is exposed and what to prioritize first.

  1. Before we talk, one of our engineers reviews your environment.
  2. On the call, we walk you through your real exposure and a prioritized plan to close it.
  3. No sales pressure. If you are in good shape, we will tell you that too.

FAQ

Do you only work with law firms?

No. We support businesses across Arkansas in healthcare, professional services, nonprofits, manufacturing, and beyond. This case happened to be a law firm, but the exposure it started from, remote access without MFA and an unsupported server, is common in every industry.

What happens if we are being attacked right now?

Call us at (501) 588-3199. If you are an existing client, our monitoring may already have flagged it. If you are not, we will still help you understand what you are facing and what your next move should be.

Is a security review just a sales pitch for new systems?

No. The point is to tell you the truth about where you stand. If your setup is solid, we will say so. If there are gaps, you will get them ranked by priority, not a quote for everything at once. Prevention comes first.

How long does a security review take?

The call itself is about 30 minutes. Before it, one of our engineers reviews your environment so the time is spent on your actual exposure, not on gathering basics.

Ready for a Straight Answer?

Schedule Your Free Security Review

Pick a time. Tell us a little about your setup. One of our engineers reviews your environment before we talk, so the call is about your real exposure and what to fix first.

Scale Technology

13503 Kanis Rd Suite B
Little Rock, AR 72211

(501) 588-3199

Schedule Your Free Security Review