(713) 965-7200 The 72-Hour Nightmare: What Happens After a Law Firm Gets Ransomware
Article summary: In the first 72 hours after a ransomware attack, law firms face pressure to act quickly while managing containment, scope, evidence, and recovery, often alongside the added risk of data theft. The solution is a structured response that prioritizes containment first, followed by controlled assessment and recovery guided by a tested playbook. This helps limit damage, protect client confidentiality, and keep critical work moving while recovery is underway.
The first sign of ransomware in a law firm rarely looks dramatic.
A paralegal can’t open a case file. A partner’s draft won’t save. A restart doesn’t help, and then someone realizes it’s happening across multiple machines.
That’s when the clock starts.
The next 72 hours aren’t just about fixing technology. They’re about managing deadlines, client expectations, confidentiality, and systems that may no longer be reliable. Every decision in that window either contains the damage or allows it to spread.
Hour 0–6: Stop the Spread Before You “Fix” Anything
In the first six hours, the biggest mistake is trying to “get back to normal” before you’ve stopped what’s happening.
An effective ransomware response for law firms begins with containment, not troubleshooting, quickly determining which systems are affected and isolating them without delay.
CISA’s ransomware guidance emphasizes determining impacted systems and isolating them, then disconnecting affected devices from the network (or powering them down if you can’t disconnect) to prevent the attack from spreading further.
This is the moment when a defined playbook needs to take the place of instinctive reaction.
State Bar of Texas guidance emphasizes that law firms should prepare for cyber incidents in advance, including maintaining and practicing an incident response plan to manage impact and recovery.
In the real world, that structure shows up in actions like disconnecting infected workstations, disabling compromised accounts, blocking malicious IPs, and resetting passwords.
Hour 6–24: Find the Blast Radius and Protect Evidence
Between hours 6 and 24, the issue shifts from a technical disruption to understanding its scope.
You’re trying to answer the questions that determine everything that comes next:
- What systems are affected
- What remains secure
- What else the attacker may have accessed
An effective ransomware response during this window centers on assessing the extent of impact, preserving evidence needed for recovery and insurance, and preparing for potential legal implications.
It’s important to recognize that modern ransomware often goes beyond encryption.
Many actors have adjusted their tactics and now pair encryption with data exfiltration, using stolen information as leverage. This changes the nature of the incident. Recovery is no longer just about restoring systems, it also requires determining whether client information left the environment.
That makes a disciplined response critical. Evidence “should be preserved in a forensically sound manner.”
This is the stage where routine actions can erase logs and other evidence that reveal how the attacker gained access, what they reached, and whether access remains.
The practical objective is to gain clarity without making the situation worse:
- Identify affected systems
- Verify that backups and restore points remain intact
- Determine which accounts were involved
- Record actions taken, along with timing and responsibility
By the end of this first day, the firm should have a defensible understanding of the scope and a documented response to support the decisions that follow.
Hour 24–72: The Hard Part
This is the point when urgency gives way to the practical demands of recovery.
Systems are not restored by fixing a single device. They return through a deliberate process, rebuilding in a controlled sequence, confirming what is secure, and prioritizing what the firm needs most to continue serving clients.
This stage is challenging because it requires careful trade-offs: balancing speed with certainty, restoring operations while preserving integrity, and communicating clearly without overcommitting.
This is also the stage when leadership questions begin to surface:
- What should be restored first?
- How long will email be unreliable?
- What can staff do while systems are down?
- What should we communicate to clients, and when?
And for some firms, the question of ransom may enter the conversation.
The FBI is blunt about what ransomware is and what it does: it’s a type of malware that “prevents you from accessing your files, systems, or networks,” and then demands payment for access. It also advises against paying, noting there is no guarantee of recovery and that payment may encourage further targeting. In other words, even if money is on the table, it doesn’t buy you certainty.
Our “What to Do When Disaster Strikes” reflects this reality, emphasizing that the first priority is to stop the attack from spreading, followed by a disciplined approach to containment and recovery. It also cautions that reactive decisions can complicate the recovery process.
At the same time, recovery cannot simply recreate the conditions that allowed the incident to occur in the first place.
This phase typically involves:
- Resetting credentials
- Reviewing access
- Rebuilding systems using clean, trusted versions
- Restoring from backups that have been verified as uncompromised
It also includes operational planning, such as:
- Establishing interim workflows
- Using alternate communication methods
- Determining which matters require immediate attention
Don’t Let 72 Hours Turn Into 72 Days
The first 72 hours after a ransomware incident often determine whether a law firm restores stability or faces prolonged disruption.
An effective response is not about improvisation; it depends on having structure in place.
If your firm lacks a tested continuity plan, defined recovery priorities, and an incident playbook your team can rely on under pressure, this is the time to address those gaps.
Digital Crisis can help you build a repeatable response framework, from continuity planning and recovery prioritization to incident playbooks your team can follow under pressure, reducing the risk that a single event turns into prolonged operational downtime. Contact us to get started.
Article FAQs
What should a law firm do first after ransomware?
Start with containment. Isolate impacted systems and disconnect affected devices from the network so the attack can’t spread. Preserve evidence and document what you’re seeing before anyone starts “fixing” machines.
Should we pay the ransom?
Law enforcement generally advises against it because payment doesn’t guarantee recovery and can encourage more attacks. Focus first on containment, verified backups, and a controlled rebuild. If a payment decision is even considered, it should involve your insurer and incident response counsel.
How do we know if data was stolen?
You confirm it through an incident investigation, not guesswork. Modern ransomware often includes data exfiltration, so you need to review logs and system activity to understand what was accessed and whether files were copied out. Preserve evidence so the investigation is reliable.
