A 14-Attorney Firm, an iManage Server, and the Friday-Night Encryptor That Got Stopped

Situation

A 14-attorney mid-Atlantic litigation firm. Three practice areas: commercial litigation, real-estate, and employment. iManage Work on-prem, single SQL Server back end. Microsoft 365 Business Premium for mail and productivity. Roughly 28 staff total including paralegals and admins.

The managing partner had moved the firm onto Obsidian Ridge's Protected tier four months prior, driven by two pressures: the ABA's Formal Opinion 483 expectations around breach response, and a cyber-insurance renewal market that had gone from soft to actively skeptical of firms without managed detection in place.

Detection

Friday, 6:47 PM. A junior associate had downloaded what she believed to be opposing counsel's exhibit list from a court e-filing link earlier that afternoon. The file was a malicious LNK that fetched a Pikabot loader. The loader dwelled quietly for about two hours while the firm closed for the weekend.

At 6:47, the loader woke up. It spawned a Cobalt Strike beacon, dumped LSASS credentials, and began lateral SMB enumeration aimed at the iManage SQL server.

Huntress Managed EDR fired three high-confidence detections within 90 seconds: process injection into a signed Windows binary, credential-dumping access to LSASS, and outbound command-and-control traffic to a beacon address tied to a known Akira affiliate. Auto-isolation triggered on patient zero — the associate's workstation — 28 seconds after the first detection.

The encryptor binary was staged on disk but did not execute. The process-killer activated before the encryption call. On the iManage server: zero impact. The attacker never reached it.

Response

The Huntress 24/7 SOC escalated to Obsidian Ridge's on-call practitioner at 6:51 PM. Within 18 minutes:

• Patient zero was confirmed network-isolated at the host level
• The associate's Microsoft 365 session was force-revoked across all devices via Managed ITDR
• Local admin credentials cached on the laptop were rotated; Active Directory was reviewed for any new persistence mechanisms
• The managing partner was on the phone with the practitioner by 7:05 PM
• The firm's cyber-insurance carrier received written notification before 8:00 PM — well inside the 24-hour notification window in the policy

Forensic review over the weekend, conducted jointly by Huntress, Obsidian Ridge, and the carrier's panel forensics firm, confirmed:

• No data exfiltration completed. The C2 channel was cut by isolation before any meaningful staging
• The attacker did not reach the iManage server, the file share, or any other matter-data location
• Roughly 140 files on patient zero were touched during enumeration; none were encrypted
• The malicious LNK traced back to a court-filing-impersonation phishing email that cleared the firm's email gateway without flagging

Outcome

Zero matter data lost. Zero client communications encrypted. Zero ABA Formal Opinion 483 client-notification obligation triggered, because no material confidential information of any client was accessed.

Court deadlines that following Monday proceeded normally. The firm's cyber-insurance renewal six weeks later proceeded at standard rating, with a positive carrier note about the documented response speed. The malpractice insurer was notified per the cyber-rider clause and closed the file with no claim.

Controls that mattered

1. Huntress Managed EDR auto-isolation at the host level. 28 seconds is faster than any human-in-the-loop response. The encryptor binary was sitting on disk; what saved the firm was the process being killed before it could call the encryption routine.
2. Microsoft 365 session-token revocation. Without it, the attacker could have pivoted from the local credential dump straight into the cloud tenant and started exfiltrating mail.
3. A segmentation decision made two months earlier to not bridge the iManage server's network to the general user network. Even if patient zero had encrypted, the matter data would have been on the other side of that boundary.
4. The pre-existing relationship with Obsidian Ridge. The managing partner did not have to make ten decisions in the first hour while panicked. The decisions had already been made and written down.
5. Documentation discipline. Every action was logged the way the cyber carrier and, if it ever came to it, the bar would want to see.

What did NOT save the day

• The email gateway. The LNK bypassed it cleanly.
• The associate herself. She did not recognize the phish. The Managed SAT program had trained her to recognize wire-redirect themes — which had been the threat-model focus that quarter — but not court-filing impersonation. That gap was closed afterward.
• Domain admin password complexity. The LSASS dump captured cached credentials regardless of how long the password was.

What the firm changed afterward

• Added court-filing-impersonation phishing simulations to the SAT cycle for litigation paralegals and associates
• Implemented Local Admin Password Solution (LAPS) so cached admin credentials would not be reusable across hosts
• Documented the iManage segmentation explicitly in the WISP — it had been informal before
• Established a quarterly tabletop with the managing partner, the office manager, and the firm's outside ethics counsel

Disclosure

Anonymized composite. Specific timestamps, the attorney count, the practice areas, and operational details have been adjusted to protect the firm. The threat-actor TTPs are real: Akira ransomware affiliates using Pikabot delivery chains have been documented by Huntress' threat-research team in 2024-2025 advisories, by Coveware's quarterly ransomware reports, and by CISA.

---

If your firm runs iManage, NetDocuments, or a comparable matter-data store and does not yet have a documented answer to "what happens at 6:47 PM on a Friday," start at /industries/law-firms or get the weekly Obsidian Briefing.