Their Network Went Down Friday. It Was Back Monday.
When ransomware locked an Arkansas law firm out of its entire network, they did not pay the ransom, and they did not lose a single file. Here is exactly how that weekend went, and what made the difference.
The Risk Was Already on the Table
Every quarter, we sit down with the businesses we support and walk through what we see. For this client, an Arkansas law firm, two items came up more than once: turn on multi-factor authentication for remote VPN access, and retire an aging Windows Server 2012 R2 box that was past its supported life.
Nothing had gone wrong yet, and the firm had a business to run. Putting off a server replacement and a login change is a reasonable call when nothing is on fire. It is the call most businesses make.
The problem with waiting is that attackers do not wait with you.
How the Weekend Actually Went
Friday, morning.
Attackers get in through the VPN, the exact access point that had no multi-factor authentication protecting it. From there they reach the old 2012 server and use it to move across the network.
Friday, midday.
The network is locked. Files are encrypted. The firm is down.
Friday, midday.
Our monitoring catches it. We are onsite fast, and we confirm what we are dealing with: active ransomware, with a demand between $30,000 and $50,000 to unlock the files.
Friday night through Sunday.
We work the environment through the weekend. Clean systems, verified backups, and a recovery plan already in place mean we never have to consider the ransom.
Monday, morning.
The firm opens for business. Every file is accounted for.
What That Weekend Did Not Cost
Full recovery from verified backups. Nothing paid to get data back.
On a demand of $30,000 to $50,000. The firm never sent a dollar.
Down Friday, open Monday, against a 24-day industry average.
Beyond the ransom itself, the firm avoided the part most businesses never see coming: the average ransomware recovery costs $1.53 million once you count downtime, lost work, and cleanup, separate from any ransom paid. None of that landed here.
You do not have to wait for a Friday like this one to find out where you stand.
Schedule Your Free Security ReviewThis Weekend Was the Exception, Not the Rule
Most ransomware stories do not end on Monday morning. Here is what the data says happens to everyone else.
| This case | Industry average | |
|---|---|---|
| Downtime | 1 business day | 24 days (Coveware) |
| Ransom paid | $0 | Demand of $30K to $50K |
| Data lost | None | Full or partial loss is common |
| Recovery cost | Avoided | $1.53M average (Sophos, 2025) |
Three Things Made the Difference
Tested backups.
Backups only help if they actually restore. Ours are verified on a schedule, so when we needed them, they worked. That alone took the ransom off the table.
Active monitoring.
We caught the attack in progress, not days later from a panicked phone call. Fast detection is what turned a catastrophe into a weekend.
A recovery plan.
We were not improvising. The steps to isolate, clean, and restore were already written down and ready to run.
The Gap Was Not Technical
The two fixes that would have stopped this attack outright, MFA on the VPN and retiring the old server, were already on the table. They were recommended, in writing, before anything happened. The gap was not knowing what to do. It was the time between knowing and doing.
That gap is normal, and it is where almost every attack lives. The most common reasons good businesses put off the fix that would have saved them:
- It has not caused a problem yet.
- The budget conversation can wait until next quarter.
- The old system still technically works.
- There is always something more urgent this week.
After the attack, MFA was applied to VPN access and the old server was retired for good. The fixes took days. The attack took a weekend and could have taken the firm.
Do Not Wait for the 4 AM Call
In 30 minutes, you will know exactly where your business is exposed and what to prioritize first.
FAQ
Do you only work with law firms?
No. We support businesses across Arkansas in healthcare, professional services, nonprofits, manufacturing, and beyond. This case happened to be a law firm, but the exposure it started from, remote access without MFA and an unsupported server, is common in every industry.
What happens if we are being attacked right now?
Call us at (501) 588-3199. If you are an existing client, our monitoring may already have flagged it. If you are not, we will still help you understand what you are facing and what your next move should be.
Is a security review just a sales pitch for new systems?
No. The point is to tell you the truth about where you stand. If your setup is solid, we will say so. If there are gaps, you will get them ranked by priority, not a quote for everything at once. Prevention comes first.
How long does a security review take?
The call itself is about 30 minutes. Before it, one of our engineers reviews your environment so the time is spent on your actual exposure, not on gathering basics.
Ready for a Straight Answer?
Schedule Your Free Security Review
Pick a time. Tell us a little about your setup. One of our engineers reviews your environment before we talk, so the call is about your real exposure and what to fix first.
Scale Technology
13503 Kanis Rd Suite B
Little Rock, AR 72211