Skip to main content

Client Story · Ransomware Recovery · Legal

Ransomware wiped their backups. We brought the firm back.

An Orange County law firm was crippled by ransomware under their previous IT provider — files encrypted, backups deleted, default passwords left wide open. OCMSP rebuilt the network from scratch, recovered their data, and turned an exposed firm into a secure, compliant, insurable one.

Compliance-ready:Ransomware RecoveryImmutable BackupsEDR / NGAV2FAMicrosoft 365

Client network

Security Posture

Protected
  • Endpoint protectionActive
  • Data backupsVerified
  • HIPAA / PCI complianceMonitored
  • After-hours support24/7/365

The challenge

A breach caused by the last provider

When the firm came to OCMSP, the damage was already done — a ransomware attack that succeeded because the previous MSP left a critical system exposed.

A breach they inherited

Before OCMSP, an Orange County law firm was hit with ransomware — not through anything they did, but through their previous IT provider. Attackers walked straight in and took the firm offline.

Default passwords left in place

The prior MSP had never changed the default credentials on the firm's backup appliance. That single oversight handed attackers the keys to the one system meant to save the firm.

Files encrypted, backups deleted

The ransomware encrypted the firm's files and then destroyed the backups — the classic double-extortion playbook. With the recovery point gone, there was no easy button to press.

A firm that couldn't work

For a law firm, the files are the practice. Case files, client records, and matter history were locked away, and the previous provider was fired for the negligence that caused it.

What OCMSP delivered

Rebuilt, recovered, and hardened

OCMSP didn't just clean up the mess — we rebuilt the firm on a secure foundation and put in the layered defenses and controls a modern practice needs to stay safe and compliant.

Rebuilt the core of the network

OCMSP stood up a brand-new domain controller and rejoined every workstation to a clean, trusted domain — removing the compromised foundation instead of trying to patch over it.

Recovered what mattered most

With the appliance backups destroyed, OCMSP recovered the firm's important files from a USB drive a staff member happened to have — turning a lucky break into a full, careful restoration.

Immutable backups that can't be deleted

OCMSP replaced the failed backup with immutable backups that ransomware can't encrypt or erase — so a recovery point always survives, no matter what an attacker does.

EDR, NGAV, and network monitoring

Endpoint detection and response, next-gen antivirus, and continuous network monitoring now watch the firm around the clock, ready to catch and isolate threats before they spread.

Password hygiene and 2FA everywhere

Every default password was changed and two-factor authentication was enabled across accounts — closing the exact gap that let the original attack succeed.

Trained people and dark web monitoring

Ongoing employee cybersecurity training keeps staff sharp against phishing, while dark web monitoring watches for the firm's credentials surfacing in breach dumps.

Migrated to Microsoft 365

OCMSP moved the firm off a convoluted legacy email system onto Microsoft 365 — modern, secure, and far easier to manage, with built-in protection and reliability.

Qualified for cyber insurance

Once the proper controls were in place, OCMSP helped the firm secure cyber liability insurance — coverage that was out of reach while the environment was still exposed.

The engagement

How we brought the firm back

01

Stabilize and assess

We stepped in after the previous provider was let go, contained the situation, and mapped exactly what had been compromised, encrypted, or destroyed.

02

Rebuild clean

We deployed a new domain controller and rejoined every PC to a trusted domain — rebuilding on a clean foundation rather than salvaging the breached one.

03

Recover the data

With the appliance backups gone, we restored the firm's critical files from a chance USB backup, verifying integrity every step of the way.

04

Harden and comply

We layered in EDR, NGAV, immutable backups, 2FA, monitoring, training, and dark web monitoring — then secured cyber insurance and moved email to Microsoft 365.

Case study FAQ

How OCMSP rescued and secured the firm

What happened to this law firm?

An established Orange County law firm suffered a ransomware attack before OCMSP became their provider. The breach traced back to their previous IT company, which had left the default passwords in place on the firm's backup appliance. Attackers used that gap to encrypt the firm's files and delete its backups. The prior provider was terminated for the negligence, and the firm brought in OCMSP to recover and rebuild.

How did OCMSP recover the firm's data if the backups were deleted?

The primary backups had been destroyed in the attack, but a staff member happened to have copied important files to a USB thumb drive. OCMSP used that as a recovery source and was able to restore most of the firm's critical data. We also rebuilt the network from scratch — standing up a new domain controller and rejoining every workstation to a clean domain — so nothing from the compromised environment carried forward.

How did OCMSP prevent it from happening again?

We closed the gap that caused the breach and built real defense in depth: changed every default password, enabled two-factor authentication, and deployed EDR, next-gen antivirus, and continuous network monitoring. We replaced the failed backup with immutable backups that can't be encrypted or deleted, added dark web monitoring, and put the staff through ongoing cybersecurity awareness training.

Why do default passwords matter so much?

Default credentials are publicly known and are one of the first things attackers try. Leaving them on a security-critical system like a backup appliance is like leaving the vault unlocked. Changing every default password — and enforcing strong authentication with 2FA — is a basic control that would have stopped this attack, and it's one OCMSP verifies across every system we manage.

Is the firm secure and compliant now?

Yes. The firm now runs on a hardened, monitored environment with immutable backups, layered endpoint and network defenses, trained staff, and Microsoft 365. With the proper controls in place, OCMSP also helped the firm qualify for cyber liability insurance. Senior management and the owners are secure, compliant, and confident in their IT for the first time.

Can OCMSP help a firm that's mid-breach right now?

Yes. OCMSP has stepped in after other providers failed — stabilizing the situation, rebuilding clean, recovering data, and putting the right defenses in place to prevent a repeat. Whether you're recovering from an incident or want to make sure you never face one, we start with a free assessment of exactly where you stand.

Recovering from an incident — or want to avoid one?

If OCMSP can rebuild a firm after ransomware, we can protect yours

From breach recovery to always-on defense, OCMSP builds security that keeps law firms running, compliant, and insurable. Book a free assessment and we'll map exactly where you stand.