Try this first
- 1Pull the network cable or disable Wi-Fi on infected devices rather than powering them off. Hibernate or shutdown wipes memory where the attacker tools live.
- 2Call cyber insurance or the IR retainer before doing anything else. They send someone with the right tools (FTK Imager, KAPE, Velociraptor) and the legal track to preserve evidence for insurance and police.
- 3Preserve logs now, not in an hour. Defender for Endpoint, Sentinel, firewall, AD events, mail server. Default rotation can wipe within 24 hours. Snapshot Log Analytics to a separate storage account.
- 4Take full-disk images of infected systems where possible, or at least a memory dump with DumpIt or Belkasoft RAM Capturer. On SSDs that is quick, on HDD servers plan a couple of hours.
- 5Keep a timeline with who did what when, from minute zero. Tools, IPs, accounts, decisions. The forensic investigator gets two days of work back if your timeline is clean.
When to bring us in
Production or customer files are down and pressure rises to be back fast, do not let pressure justify destroying evidence. Agree a sequence with the IR partner, image first, then restore. Otherwise the insurance claim is half-supportable.
See also
- I think I clicked a phishing linkNo shame, happens to everyone. The next fifteen minutes matter.
- A colleague's account is acting strangelySending mail in their name, rules hiding folders, unusual sign-ins. Suspicious.
- Lost the MFA app: new phone, no backup codesClassic problem after a phone upgrade. You are not the first to be locked out.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.