Free checklist

The first hour after a breach.

Take a breath. What you do in the next hour matters more than what you do all week. Here is the calm version: what to do, what not to do, and who to call.

  1. Don’t panic, and don’t hide it. This happens to careful people. Fast and honest beats perfect.
  2. Disconnect, don’t power off. Unplug affected computers from the network, but don’t shut them down. Powering off can destroy evidence and make some ransomware harder to recover from.
  3. Don’t delete or clean anything up. Ransom notes, strange files, and odd emails are evidence. Leave them.
  4. Move to a clean device. Use a phone or a computer that wasn’t on the network. Don’t type passwords into a machine you think is compromised.
  5. Change the passwords that matter, email first, then banking and admin accounts. Turn on two-factor. Email is the master key.
  6. Call your bank if money or payments are involved. Fraud teams move fastest in the first hours.
  7. Don’t pay the ransom, and don’t negotiate alone. Paying doesn’t guarantee recovery and marks you as a repeat target. Get expert eyes first.
  8. Write down what you know: when you noticed, what you saw, and what’s affected. A rough timeline saves hours later.
  9. Get the right help. Active attack right now? Contact CISA, the FBI IC3, and StopRansomware.gov. Small business or nonprofit that can’t afford a big firm? Request help. I take pro bono cases case-by-case.

Calm technical guidance, not legal advice. Loop in a lawyer for breach-notification rules.

Keep it by your desk

Want the one-page printable to keep somewhere you’ll find it under pressure, or to send your team? I’ll email it.

No spam. I’ll send the printable and nothing else unless you ask.

← Back to cyberprobono