Free checklist
The first hour after a breach.
Take a breath. What you do in the next hour matters more than what you do all week. Here is the calm version: what to do, what not to do, and who to call.
- Don’t panic, and don’t hide it. This happens to careful people. Fast and honest beats perfect.
- Disconnect, don’t power off. Unplug affected computers from the network, but don’t shut them down. Powering off can destroy evidence and make some ransomware harder to recover from.
- Don’t delete or clean anything up. Ransom notes, strange files, and odd emails are evidence. Leave them.
- Move to a clean device. Use a phone or a computer that wasn’t on the network. Don’t type passwords into a machine you think is compromised.
- Change the passwords that matter, email first, then banking and admin accounts. Turn on two-factor. Email is the master key.
- Call your bank if money or payments are involved. Fraud teams move fastest in the first hours.
- Don’t pay the ransom, and don’t negotiate alone. Paying doesn’t guarantee recovery and marks you as a repeat target. Get expert eyes first.
- Write down what you know: when you noticed, what you saw, and what’s affected. A rough timeline saves hours later.
- Get the right help. Active attack right now? Contact CISA, the FBI IC3, and StopRansomware.gov. Small business or nonprofit that can’t afford a big firm? Request help. I take pro bono cases case-by-case.
Calm technical guidance, not legal advice. Loop in a lawyer for breach-notification rules.
Keep it by your desk
Want the one-page printable to keep somewhere you’ll find it under pressure, or to send your team? I’ll email it.