How We Recovered a Law Firm From Ransomware in 2 Hours
Saturday 2am: EDR alert. Monday 9am: 12 lawyers billing again. R0 paid to criminals. This is exactly how the 3-2-1 backup rule saved a Pretoria law firm.
The Attack Timeline
02:14 AM: EDR alert - Crypto.exe executing on file server
02:15 AM: Server auto-isolated from network via SentinelOne
02:30 AM: We remote in, confirm encryption started on 3 folders
06:00 AM: Backup integrity check passed — last clean backup 01:00 AM
08:00 AM: Restore to clean VM begins, 847GB
10:00 AM: Client notified, systems testing begins
11:00 AM: All staff back online, zero data loss
Why They Survived: The 3-2-1 Backup Rule
We enforce this for every client. It worked exactly as designed:
- 3 copies: Live server + Onsite Synology NAS + Wasabi cloud immutable
- 2 media types: Local SSD + Cloud object storage
- 1 offsite: Air-gapped, 30-day retention, can't be deleted by ransomware
Backup vendor: Veeam Backup for Microsoft 365 + Synology Active Backup
Test frequency: Quarterly restore drills. Last test was 3 weeks before attack — we knew it worked.
What Failed [And Why Most Firms Wouldn't Recover]
- No MFA on RDP: Intern used "Password123". Brute-forced in 6 hours.
- No EDR: Old antivirus saw Crypto.exe as "unknown" and allowed it.
- No backups tested: 60% of SA SMEs have backups that fail on restore. They never test.
The Cost Breakdown
- Our response: R0 — included in R300/user/mo Managed IT plan
- Downtime cost avoided: ~R15,000 [2hrs × 12 lawyers × R625/hr]
- If no backup: R150,000+ ransom demand + 2 weeks rebuild + POPIA fines
Checklist: Can Your Firm Survive This?
- Immutable backups tested in last 90 days?
- EDR with rollback, not just antivirus?
- MFA enforced on all admin + RDP accounts?
- Air-gapped copy offsite?
- Incident response plan printed and accessible?
Score less than 3? You're exposed.
Book the R950 Health Check
We test your backups for real. Not just "are they running" — we restore a file and prove it works.
Check My Backups