Resposta a Incidentes 24/7 · Comprometimento

My company was hacked: what to do in the first minutes

O que fazer agora

Act in the right order: isolate the affected equipment from the network (unplug the cable and turn off Wi-Fi), but do NOT shut the machine down or format anything, because that erases the evidence. From a separate, trusted device, immediately change the passwords of critical accounts, enable MFA and close open sessions. Next, engage an Incident Response team to contain the attack and measure the damage: Decripte responds 24/7 with a containment SLA of up to 1 hour through the contact page. If personal data was leaked, the deadline to notify the ANPD is 3 business days from awareness. And if you are still not sure whether you were breached, start with free threat monitoring at decripte.com.br/intelligence-center.

SOC 24x7 e SLA de contenção de até 1 hora. A Decripte é especialista em resposta a incidentes para fintechs, crypto, apps, e-commerces e empresas de todos os tamanhos.

Sinais de alerta

  • Employees report that they can no longer access accounts or that passwords were changed without authorization.
  • Files renamed, encrypted or with strange extensions, accompanied by a ransom note demanding payment.
  • Login alerts from unusual countries or times on corporate email, cloud or VPN.
  • Third-party warning: a customer, partner, bank or researcher informs you that your company's data is leaked or for sale.
  • Sudden slowness, unknown processes consuming CPU, antivirus or EDR disabled for no reason.
  • Emails going out from your company that you did not send, or customers complaining about fake messages and charges in your name.
  • Email forwarding rules, administrator users or API keys created that no one recognizes.

Primeiros passos — o que fazer agora

  1. 1

    Isolate, do not shut down

    Disconnect the suspicious equipment from the network (cable and Wi-Fi) to stop the attacker's progress, but keep the machine powered on. Shutting down abruptly or formatting destroys volatile memory and the traces that prove what happened and how the attacker got in.

  2. 2

    Use a device you know is clean

    Do not change passwords or investigate from a possibly compromised machine. Use a phone or laptop that was not touched by the incident for all containment actions, so you don't hand the new credentials to a keylogger or a hijacked session.

  3. 3

    Change critical credentials and enable MFA

    In order of priority, reset the passwords for corporate email, bank accounts, the cloud console (AWS, Azure, GCP), VPN and administrator accounts. Enable multi-factor authentication everywhere, terminate all active sessions and revoke tokens and API keys that may have been stolen.

  4. 4

    Preserve logs and evidence

    Do not delete anything. Make sure firewall, server, email, EDR and cloud logs are not overwritten, ideally exporting copies to a safe location. Note timestamps, alerts received and what each person observed: this guides the investigation and protects the company legally.

  5. 5

    Engage 24/7 Incident Response

    The sooner a specialized team steps in, the smaller the damage. Engage Decripte's Incident Response through the contact page: we respond 24/7 with a containment SLA of up to 1 hour and lead from diagnosis to recovery, alongside your team.

  6. 6

    Assess the scope before communicating

    Confirm which systems, data and customers were affected before declaring anything publicly. Premature or incorrect communication creates panic and legal risk; late communication also exposes the company. The scope analysis defines what, to whom and how to notify.

  7. 7

    Meet your legal obligations (LGPD/ANPD and Pix)

    If personal data was leaked, notification to the ANPD must occur within 3 business days from awareness of the incident (Resolution CD/ANPD No. 15/2024), in addition to notifying the affected data subjects. In Pix fraud, contact the bank immediately to trigger the MED and file a police report.

O que NÃO fazer

  • Do not shut down or format the affected machine: that erases the volatile memory and the logs that prove the attack and help expel the intruder without leaving a back door.
  • Do not change passwords from the possibly compromised equipment: if there is a keylogger or session theft, you hand the new credentials to the attacker on the spot.
  • Do not pay a ransom on impulse in a ransomware case: paying does not guarantee the key, funds the crime, does not prevent the leak of data already exfiltrated and does not waive the legal notification obligations.
  • Do not rush to notify customers and the press before measuring the scope: wrong information amplifies panic and can increase the company's legal risk.
  • Do not assume the problem is over just because the symptoms stopped: attackers leave persistent access; without technical eradication, the attack returns days later.
  • Do not ignore the LGPD clock: leaving the ANPD notification until everything is resolved may blow the 3-business-day deadline from awareness and trigger sanctions.

First, confirm whether you were really compromised

Not every strange behavior is an attack, and not every attack is loud. Before declaring a breach, gather objective evidence: security alerts, anomalous logins, encrypted files, a warning from a trusted third party or company data exposed on the internet. Treat each sign as a hypothesis to confirm, not an isolated certainty, but do not underestimate it either: when in doubt, act as if it were real and isolate first.

The most common mistake at this stage is investigating too much on the affected machine itself, clicking, opening files and tampering with what may be a digital crime scene. Every action alters evidence. Designate one person to coordinate, record timestamps and what was observed, and prevent several people from touching the same systems at once. Confirming the compromise calmly is what separates an effective response from making things worse.

If you are still not sure whether there was a leak, the fastest and cheapest path is monitoring. Decripte's free Threat Management plan (Decripte Intelligence Center), at decripte.com.br/intelligence-center, checks for credential leaks, dark web exposure and your domain's reputation, with no credit card and no technical team needed, and often reveals the compromise before it becomes a crisis.

Containment: cut off the spread without destroying the proof

To contain means to prevent the attack from spreading, and the golden rule is to isolate without destroying. Disconnect the affected equipment from the network by removing the cable and disabling Wi-Fi, but keep the machines powered on. The RAM of a running system holds malicious processes, active connections and keys that vanish on shutdown; turning off or formatting throws away the proof of who got in and how.

In parallel, perform identity containment from a device you know is clean. First reset the passwords of the most critical accounts (corporate email, cloud, bank, VPN and administrators), enable MFA and terminate all active sessions, including tokens and API keys that may have been stolen. Changing a password on the infected device itself may simply hand the new password to the attacker.

Preserve everything: make sure firewall, server, email, EDR and cloud provider logs are not overwritten or deleted, ideally exporting copies to a safe location. These records support the technical investigation and also the company's legal defense. This stage follows the NIST framework (detection and analysis followed by containment), and this is exactly where an Incident Response team speeds up the process without making the mistakes that cost evidence. Decripte takes on that coordination 24/7 with a containment SLA of up to 1 hour.

Resposta a Incidentes · 24/7

Cada minuto conta. Comece o diagnóstico gratuito agora e veja o que já vazou.

Comece pelo diagnóstico gratuito agora e veja em minutos o que já vazou. SOC 24x7 e contenção em até 1h nos planos pagos.

Eradication and recovery: remove the intruder and come back safely

A symptom that stops does not mean the threat is eliminated. Attackers plant persistence: ghost accounts, scheduled tasks, webshells, email forwarding rules and access keys. To eradicate is to identify and remove each of these footholds and close the vulnerability that allowed entry, whether it was a leaked password, an unpatched system or a successful phishing attempt. Skipping this stage is the most common reason companies are re-breached a few days later.

Recovery must be controlled and monitored. Restore systems from trusted, verified backups (that have not been compromised), reintroduce machines to the network gradually and keep heightened vigilance to detect any attempt by the attacker to return. The incident is only declared closed when there is technical confidence that the environment is clean and stable.

Finally comes the lessons-learned phase: documenting the timeline, understanding the root cause and fixing what failed in people, process and technology. That is what turns a painful incident into a stronger security posture. Decripte leads from containment to that closure, delivering a root-cause report and practical recommendations so that the same vector is not exploited again.

If the incident involved personal data (of customers, employees or partners), the LGPD imposes duties with a deadline. Under Resolution CD/ANPD No. 15/2024, the security incident must be reported to the National Data Protection Authority within 3 business days from awareness of the incident, and the affected data subjects must also be notified. The clock starts when you become aware, which is why the scope analysis cannot drag on.

The notification must describe the nature of the affected data, the possible impacts and the measures adopted to mitigate the effects. Notifying incorrectly or in a panic is as harmful as not notifying. That is why the sequence matters: contain, preserve evidence, measure the scope with technical and legal support and then communicate accurately. Documenting each step is what demonstrates diligence before the ANPD and reduces exposure to sanctions.

If the attack involved financial fraud via Pix, time is even shorter. Contact the bank immediately to trigger the MED (Special Return Mechanism), which has a limited window to try to block and return the funds, and file a police report. In scams involving system intrusion and payment diversion, treating the case as a security incident, and not merely as isolated banking fraud, is usually what reveals the true extent of the compromise.

Resposta a Incidentes · 24/7

Precisa conter o incidente agora? Comece de graça e ative a resposta 24x7.

Comece pelo diagnóstico gratuito agora e veja em minutos o que já vazou. SOC 24x7 e contenção em até 1h nos planos pagos.

How Decripte leads the response end to end

Decripte specializes in Incident Response, with a SOC operating 24x7 and a containment SLA of up to 1 hour. When you engage us through the contact page, our team steps in alongside yours: takes on technical coordination, guides correct containment without destroying evidence, investigates thoroughly to map the real scope and expels the intruder, closing the doors they used. We serve fintechs, crypto exchanges, apps, e-commerces, startups and companies of all sizes.

Our work follows the recognized response cycle (preparation, detection and analysis, containment, eradication, recovery and lessons learned), translated into practical action and into language that both the non-technical owner and the technical team understand. In the end, you receive a clear report on the root cause, what was affected, what was done and what needs to be fixed, plus support to meet the notification obligations toward the ANPD and the data subjects.

After the incident, prevention continues. The free Threat Management plan (decripte.com.br/intelligence-center) continuously monitors credential leaks, the dark web and domain reputation, and the paid plans cover 24x7 SOC, Pentest, Vulnerability Management and Compliance (LGPD/ISO 27001). For an attack happening right now, engage 24/7 Incident Response through the contact page. So you are never caught by surprise again, start with the free monitoring.

Obrigações legais (Brasil)

LGPD (Brazil): if personal data is leaked, notify the ANPD within 3 business days from awareness of the incident (Resolution CD/ANPD No. 15/2024) and also the affected data subjects, describing the nature of the data, the possible impacts and the measures adopted. Pix fraud: contact the bank immediately to trigger the MED (short window) and file a police report. Preserve logs and evidence, as they support the investigation and the company's legal defense. These deadlines and rules (e.g., ANPD/LGPD) are Brazilian.

Termos importantes

Incident Response (IR)
A coordinated process to contain, investigate, eradicate and recover a company from a cyberattack, following structured stages (preparation, detection and analysis, containment, eradication, recovery and lessons learned) to minimize damage and restore operations safely.
Containment
The stage in which the affected environment is isolated to prevent the attack from spreading, without shutting down or formatting systems, so as to preserve the evidence needed for the investigation and eradication.
Eradication
The complete removal of the intruder's presence (malicious accounts, persistence, malware) and the fix of the vulnerability that allowed entry, ensuring the attack does not repeat through the same vector.
MED (Special Return Mechanism)
A Pix system feature that allows the bank to block and attempt to return funds in cases of fraud or operational failure, within a short time window, which is why contact with the bank must be immediate.
ANPD
The National Data Protection Authority, the body that enforces the LGPD in Brazil and that must be notified of security incidents involving personal data within 3 business days from awareness, under Resolution CD/ANPD No. 15/2024.
Threat Management (DIC)
Decripte's free plan (Decripte Intelligence Center), at decripte.com.br/intelligence-center, that continuously monitors credential leaks, dark web exposure and domain reputation, with no credit card and no need for a technical team, helping to detect compromises early.

Perguntas frequentes

My company was just hacked, what is the first thing I should do?

Isolate the affected equipment from the network (unplug the cable and turn off Wi-Fi), but do NOT shut down or format the machine, so you don't erase the evidence. From a clean device, change the passwords of critical accounts, enable MFA and close open sessions. Then engage an Incident Response team. Decripte responds 24/7 with a containment SLA of up to 1 hour through the contact page.

Should I turn off the hacked computer to stop the attack?

No. Shutting down abruptly erases volatile memory and data that prove how the attack happened and help fully expel the intruder. The right move is to isolate the machine from the network (cable and Wi-Fi) while keeping it powered on, to contain the spread without destroying the evidence.

Do I need to pay the ransom if it is ransomware?

Paying is not recommended: it does not guarantee the recovery key, funds the crime, does not prevent already exfiltrated data from being leaked or sold and does not waive the legal notification obligations. The safest path is to engage an Incident Response team to contain, assess backups and recover, as well as meet the LGPD duties if personal data was leaked.

Do I have to notify the ANPD if my company was hacked?

If personal data was leaked or exposed, yes. Under Resolution CD/ANPD No. 15/2024, the notification to the ANPD must occur within 3 business days from awareness of the incident, and the affected data subjects must also be notified. That is why the scope analysis must be fast: the deadline starts counting from the moment you become aware.

I was a victim of Pix fraud in an attack, is it possible to recover the money?

There may be a chance if you act fast. Contact the bank immediately to trigger the MED (Special Return Mechanism), which allows blocking and attempting to return the funds within a short window, and file a police report. If the Pix went out through a system intrusion, treat the case also as a security incident to understand the real extent of the compromise.

How do I engage Decripte for an incident that is happening right now?

Go to Decripte's contact page and engage Incident Response. Support is 24/7, with a containment SLA of up to 1 hour. Our team takes on the technical coordination alongside your team, leads containment, investigation, eradication and recovery, and supports meeting the legal obligations.

How do I find out if I was hacked before it becomes a crisis?

Use Decripte's free Threat Management plan (Decripte Intelligence Center) at decripte.com.br/intelligence-center: it monitors credential leaks, dark web exposure and your domain's reputation, with no credit card and no technical team. Many breaches first appear as leaked credentials, and detecting them early prevents the worst.

Can I change the passwords from the very computer that was hacked?

It is not safe. If there is a keylogger or session theft on the compromised device, the new passwords may be captured on the spot. Make the change from a device you know is clean (another phone or laptop), enable MFA and terminate all active sessions and API keys.

Incidente em andamento?

Comece agora pelo diagnóstico gratuito — e ative SOC 24/7 e resposta a incidentes nos planos pagos.

Veja em minutos o que já vazou da sua empresa. Quando precisar, a Decripte assume a contenção, a investigação forense e a recuperação do ambiente com SLA de contenção de 1 hora.