Skip to main content
Capability: Ransomware Recovery

Ransomware recovery for Bay Area organizations.
72 hours. 7 offices. $0 paid.

When ransomware hits at 2 AM, you don't need a slide deck. You need someone who has actually done this before, picks up the phone, and is on the road inside an hour. Eaton & Associates has been running incident response for Bay Area organizations since 1989. The biggest recovery on the record: 7 offices, 200+ users, every domain controller encrypted, $450,000 in Bitcoin demanded, $0 paid. Back to full operations in 72 hours.

Quantified outcome from the actual recovery

Recovery time Offices restored Users restored Ransom demanded Ransom paid Data lost
72 hours 7 200+ $450,000 $0 None

See the full 72-hour case study →

Active incident

If you're in an incident right now

Stop reading. Call (415) 282-1188 and say "ransomware" to the operator. You'll be routed to on-call engineering inside two rings, any hour, any day.

Before the call, do three things. One: unplug the affected machines from the network. Do not power them off. Memory state matters for forensics. Two: locate your most recent verified backup, and do not touch it. Three: preserve any ransom note text and screenshots. We'll walk you through everything else when you call.

Call (415) 282-1188 now →
What it looks like

What 72 hours actually looks like

6:14 AM on a Monday. A mid-sized Bay Area organization called the on-call line. Encryption notes on every workstation. Every domain controller offline. Every file server compromised. Seven offices. 200+ users. A Bitcoin demand for $450,000.

By 7:30 AM the on-site team was on the ground at headquarters and the assessment was done. By 10 AM the call was made: rebuild, do not pay. By 2 PM the emergency hardware procurement was in motion. Tuesday at 8 AM, Active Directory was live again. Tuesday at 6 PM, all seven branches had VPN tunnels back to the new domain. Wednesday at 11 PM, Microsoft 365 was restored and email was flowing again. Thursday at 8 AM, all 200+ users were back at work. 72 hours, end to end.

The ransom was never paid. Not one dollar. The recovery cost the client a fraction of the demand and produced an infrastructure stronger than the one the attackers took down.

This was not a recovery scenario. This was a rebuild. The original Active Directory forest was unsalvageable; the team stood up a new one from clean offline backups, re-imaged every workstation, and migrated user identities into a hardened environment. The replacement infrastructure shipped with MFA on every account, network segmentation, isolated backup storage, and endpoint monitoring the original environment never had.

Read the full 72-hour ransomware recovery case study →
How we run a recovery

Six phases, in this order, every time

Every recovery is different. The framework is the same.

  1. 01

    Triage and isolation

    First 60 to 90 minutes

    The on-call engineer is on the phone inside two rings and on-site or remotely connected inside the hour. First job: stop the spread. Affected machines are unplugged from the network, the firewall is reconfigured to choke off lateral movement, and any cloud service connections that look compromised get tokens rotated immediately.

    Output: A contained blast radius and a written list of affected systems before the second hour starts.

  2. 02

    Assessment and decision

    Next 2 to 4 hours

    The team maps what is encrypted, what is recoverable, what the backups actually contain, and whether data exfiltration is in play. Then we make the call. Rebuild or restore. Pay or refuse. The decision is yours; the recommendation is ours and it is almost always "do not pay."

    Output: A documented incident classification, a recovery path on paper, and a go decision before the end of business day one.

  3. 03

    Stabilization

    Hours 4 to 24

    If the decision is rebuild, emergency hardware procurement runs in parallel with infrastructure design. A clean Active Directory forest is stood up on isolated infrastructure. DNS and DHCP are rebuilt from documentation, not from compromised images.

    Output: A known-clean base environment by the end of hour 24, ready for user migration.

  4. 04

    Restoration

    Hours 24 to 60

    User identities migrate into the new forest. Workstations are re-imaged from clean media, not restored from compromised state. File servers are rebuilt and data is restored from offline backups after verification. Email, Microsoft 365, and any line-of-business applications are reconnected in order of business criticality.

    Output: The majority of staff back on functional systems by the end of hour 60.

  5. 05

    Hardening

    Hours 60 to 72

    The replacement environment ships with what the original did not: MFA on every account, network segmentation between user and server VLANs, isolated and immutable backups, EDR on every workstation, and SIEM monitoring with named alert thresholds. The new infrastructure is the answer to "this cannot happen the same way twice."

    Output: A hardened production environment and a written runbook by the end of hour 72.

  6. 06

    Post-incident review and executive comms

    Week 2 to 4

    Two to four weeks after the lights are back on, we run a full post-incident review with the client's leadership team and, where relevant, the board. We document what the attack looked like, what we did, what worked, what we would do differently, and what residual risks remain. If cyber insurance is involved we work directly with the carrier's IR team. If external comms are needed (customers, regulators, press) we draft them and review with counsel.

    Output: A written post-incident report, an updated security roadmap, and a calendar for the follow-on hardening work that did not need to ship inside 72 hours.

What's included

What the engagement actually includes

A ransomware recovery engagement with Eaton & Associates is not a one-time consulting call. It is a stack of capabilities you can either pre-deploy as a managed IT client or activate inside the first hour of an incident as an IR retainer.

Active monitoring

24/7 SIEM with named alert thresholds, EDR on every endpoint, and managed firewall log review. The earlier we see the indicators, the smaller the blast radius.

Isolated and immutable backups

Backups stored in storage your domain admin cannot reach. The attackers cannot encrypt what they cannot touch. We verify restores quarterly, not "when we get to it."

Incident response retainer

A signed retainer that gets you to the front of the on-call queue, locks in the hourly rate before the incident starts, and means the first hour of work is engineering, not contract negotiation.

Endpoint hardening

MFA on every account. Application allowlisting where the environment supports it. Local admin privileges removed from standard user accounts. The basics that most ransomware variants still rely on.

Executive and customer communications support

Draft language for board updates, customer notifications, and regulatory disclosures. Coordinated with your counsel and cyber insurance carrier.

Coordinated work with your cyber insurance carrier

We have run incidents under every major carrier's IR panel framework. We work with the panel firm if one is mandated; we are the recovery firm if one is not.

Post-incident hardening

The work that happens after the lights come back on. New segmentation. New runbooks. New tabletop exercises. The hardening that means there is no second incident with the same root cause.

Compliance-aligned by design

CJIS, HIPAA, and SOC 2

Recovery work for regulated organizations has to satisfy the auditor in week 8, not just the executive team in week 1. Our recovery and hardening work is aligned with the three frameworks our buyers most often live under.

California municipalities, police, fire, county IT

CJIS v6.0

The replacement infrastructure ships with the controls CJIS Security Policy requires: FIPS 140-3 encryption, advanced authentication on every CJI-touching account, audit logging retained per the addendum requirements, and a documented chain of custody for any forensic artifacts pulled during the incident. We have rebuilt environments inside CJIS audit windows without losing certification.

Healthcare and provider organizations

HIPAA Security Rule

PHI handling during a recovery is its own discipline. Affected systems are isolated, access logs are preserved as evidence, and any restoration from cloud or backup goes through written verification that the restored state does not reintroduce compromised PHI. The post-incident report includes a HIPAA-compliant breach assessment workup ready for OCR if required.

Regulated firms and audited buyers

SOC 2 Type II alignment

Eaton is a SOC 2 Type II certified provider. The recovery engagement is documented to the same control framework we operate under: access reviews, change management, incident logging, evidence retention. If your auditor asks "how did your IT provider handle the incident," the answer is a written, evidence-backed control walk-through, not a verbal recap.

Buyer questions

What buyers ask before signing

Do you offer an incident response retainer, and what does it include?

Yes. A signed IR retainer gets you front-of-queue access to the on-call engineering team, a locked-in hourly rate before the incident starts, and a documented escalation path your CISO or counsel can hand to your cyber insurance carrier on day one. The retainer covers the first incident response engagement up to a contracted number of hours; additional time runs at the locked rate. Most clients pair the retainer with quarterly tabletop exercises and an annual recovery drill, both included. The retainer is separate from a managed IT contract; existing managed IT clients have an effective retainer built into the relationship.

What's your RTO and RPO for a typical recovery?

Both depend on the environment we are recovering into. For a client with isolated and verified backups, an RTO of under 24 hours for core services and under 72 hours for full operations is the working standard. RPO is typically under 4 hours for systems running our backup tooling. For a client we have never worked with before, the assessment in the first 4 hours sets the realistic RTO and RPO based on what backups actually exist and what shape they are in. We will tell you what we can actually deliver before we promise it.

How do you handle data exfiltration extortion (the "we have your data, pay or we publish" play)?

Modern ransomware almost always includes an exfiltration component. The recovery work is the same: rebuild, harden, restore. The exfiltration question is a separate decision the client makes with counsel and the cyber insurance carrier. Our role is to confirm what data left the environment (logs, DLP records, forensic artifacts), document the scope for the post-incident report, and support whatever the legal and disclosure decision turns out to be. We do not advise paying extortion demands. The published data does not stop being published once the bitcoin clears. The post-incident hardening assumes the data is in the wild and the controls have to account for it.

Do you require an existing managed IT relationship to take an incident?

No. Incidents come in cold all the time. The first 4 hours of an assessment with a new client run on a flat-rate engagement that converts into a full recovery engagement once we have a documented incident classification and a go decision. The cold-start premium is real (we are learning the environment in real time), and we will tell you what that looks like inside the first hour. Existing managed IT clients pay no cold-start premium.

What if our backups are encrypted too?

This is the question every IT director should ask. If your backups are reachable from a compromised domain admin account, they are part of the ransomware payload. We assume backups are compromised until verified clean. The recovery path in that scenario is rebuild from documentation, restore data from any verified-offline copies (cloud-sync history, archived snapshots, off-site media), and reconstruct the rest from whatever evidence the application data retains. The hardening engagement after the lights come back on always includes isolated and immutable backup storage so this question does not repeat.

Do you pay ransoms?

No. Our standing recommendation is to refuse. Payment funds the next attack, does not guarantee functional decryption keys, and signals the organization as a willing payer to other groups. The 72-hour Bay Area recovery on our public proof page is the case in point: $450,000 demanded, $0 paid, full recovery. The final decision is yours; the recommendation is ours and it does not change.

How is this billed?

Three structures depending on the engagement. Managed IT clients with an effective built-in retainer pay incident response time at their contract rate; most incidents are covered without an additional charge for the first response window. IR retainer clients pay a quarterly or annual retainer fee that includes a contracted hours bucket; overage runs at the locked rate. Cold-start engagements run on a flat-rate first-4-hour assessment that converts into a documented hourly engagement once the scope is set. All three structures are written, signed, and shared with the client's counsel before work starts.

Ready before the call, or in the middle of one

If you are deciding now whether to put a ransomware recovery retainer in place, talk to us. If the incident is already underway, dial (415) 282-1188 and we are on the line inside two rings.

Bay Area headquartered since 1989. Seven offices coordinated under one playbook. $0 paid on the biggest recovery we have run.