My company is under cyberattack right now: what to do in the first minutes
O que fazer agora
Act to contain, not to investigate. Isolate the compromised machines and segments from the network (unplug the cable or disable the interface), but do NOT shut down the equipment, to preserve volatile memory as evidence. Then cut off VPN and suspicious remote access, block and force a password change on privileged accounts, protect the backups and engage 24/7 Incident Response. Decripte operates a 24x7 SOC with a containment SLA of up to 1 hour: engage us at decripte.com.br/contato and we start containing with you in real time.
SOC 24x7 e SLA de contenção de até 1 hora. A Decripte é especialista em resposta a incidentes para fintechs, crypto, apps, e-commerces e empresas de todos os tamanhos.
Sinais de alerta
- ›Files being renamed en masse, with strange extensions, and ransom notes appearing in folders and on the desktop.
- ›Administrative logins or VPN/RDP access at unusual times, from uncommon IPs or countries, or from accounts that should not be active.
- ›Sudden slowness, high CPU or network usage and servers and services going down with no apparent cause.
- ›User accounts being created, privileges elevated or administrator passwords changed without anyone on the team doing it.
- ›Security tools (antivirus, EDR) disabled, firewall rules altered or logs disappearing.
- ›Abnormal outbound traffic to unknown external servers, indicating data exfiltration or communication with a command-and-control server.
- ›Alerts from providers, banks or customers reporting suspicious activity, extortion emails or company data for sale.
Primeiros passos — o que fazer agora
- 1
Engage 24/7 Incident Response now
Before touching anything on your own, call your security team or Decripte at decripte.com.br/contato. In an active attack, every minute amplifies the damage. Our 24x7 SOC steps into the case with a containment SLA of up to 1 hour and guides you in real time, preventing you from erasing evidence or tipping off the attacker.
- 2
Isolate, do not shut down
Disconnect the compromised machines and servers from the network: unplug the network cable, disable Wi-Fi or block the port on the switch. Do NOT shut down or reboot the equipment, because RAM, active processes and the attacker's keys vanish on boot and you lose evidence essential to the investigation and to your legal defense.
- 3
Cut off remote access and VPN
Drop all active VPN, RDP, SSH and remote-access tool sessions (AnyDesk, TeamViewer). If the vector is a leaked credential, the intruder comes in through legitimate access: disabling the VPN concentrator and the remote-access rules at the edge closes the door while you identify the compromised account.
- 4
Block accounts and force password rotation
Immediately suspend suspicious accounts and all accounts with administrative privilege (domain admins, root, service accounts). Force a password change and revoke active tokens and sessions. Enable MFA where there was none. Prioritize Active Directory, the identity provider (Entra ID, Google Workspace) and email.
- 5
Segment the network to slow propagation
If the attack is spreading (ransomware, lateral movement), isolate entire segments: separate critical servers, backups and workstations into distinct VLANs and block lateral traffic (SMB, RDP) between them at the firewall. The goal is to prevent the intruder from reaching backups and systems that are still healthy.
- 6
Protect and disconnect the backups
Check that the backups are intact and disconnect them from the network immediately. Modern ransomware seeks out and encrypts backups before detonating. An offline, intact backup is your main chance of recovery without paying a ransom, so take it out of the attacker's reach now.
- 7
Set up the war room and record everything
Bring together, in a single channel outside the compromised network (preferably a phone group), those responsible for IT, security, legal, communications and leadership. Note timestamps, actions and what was observed. This record becomes the incident timeline and supports the legal notifications and the conversation with the insurer.
- 8
Prepare crisis communication and meet the legal deadlines
Do not communicate anything publicly before understanding the scope, but start preparing. If there is a leak of personal data with risk to data subjects, notification to the ANPD must occur within 3 business days from awareness, under Resolution CD/ANPD No. 15/2024, with notice to the affected data subjects. In Pix fraud, contact the bank right away to trigger the MED and file a police report.
O que NÃO fazer
- ✕Do not shut down or reboot the compromised machines: booting erases the volatile memory and the attacker's processes, destroying evidence that defines the attack's scope and your legal defense.
- ✕Do not delete logs or suspicious files nor 'clean' the machine on your own. That eliminates the forensic trail, hinders full eradication and may leave the intruder's backdoor active.
- ✕Do not pay a ransom on impulse nor negotiate with the attacker alone. Paying does not guarantee recovery, funds the crime and may have legal implications; involve Incident Response and legal before any contact.
- ✕Do not announce publicly nor send broad internal notices before containing. If the attacker still has access, they read your emails and channels and accelerate the attack once they realize they were discovered.
- ✕Do not use the compromised network or email to coordinate the response. Set up the war room in an out-of-band channel (phone, clean account) so the intruder cannot follow your actions.
- ✕Do not fail to record timestamps and actions. Without a timeline, you miss legal deadlines, hamper the investigation and cannot prove diligence to the ANPD, the insurer and customers.
An active attack is not the same as an incident already consummated
There is a practical difference that completely changes your response. An active attack is when the intruder is still inside the network right now: encrypting files, moving laterally, exfiltrating data or keeping a live access. The absolute priority here is real-time containment, cutting off the attacker's access and stopping propagation before they reach backups, critical systems and more data.
An already consummated incident is when the damage has happened and the attacker may be gone: the ransomware has already encrypted everything, the data has already leaked, the fraud has already occurred. Here the focus shifts to scope, eradicating any back door left behind, recovering from clean backups and meeting legal obligations. Treating an active attack as if it were already over is a costly mistake, because while you restore, the intruder keeps operating.
When in doubt, assume the attack is active and that the attacker still has access. This conservative posture guides you to contain first, communicate carefully and not trust potentially compromised systems. Decripte's Incident Response team helps make exactly that fast diagnosis and decide, with confidence, which scenario you are in.
The right containment sequence, following the NIST standard
Incident response follows a tested flow: preparation, detection and analysis, containment, eradication, recovery and lessons learned. In the middle of an attack, you are in the detection/analysis and containment phases at the same time, and they must move together. Before cutting everything off blindly, do a quick read of what is happening: what is being affected, how the intruder got in and how far they reached. This avoids incomplete containment, where you close one door and leave another open.
Containment has two phases. Short-term containment stops the bleeding now: isolate machines, drop VPN and RDP, block accounts, segment the network. Long-term containment prepares for eradication: apply stricter firewall rules, rebuild credentials, secure clean backups. Only then comes eradication itself, removing malware, backdoors and accounts created by the attacker, and then recovery, with the gradual and monitored return of systems.
The most common mistake of those who respond alone is skipping analysis and going straight to recovery, restoring backups while the intruder is still inside, which only restarts the cycle. A 24x7 SOC avoids this because it tracks telemetry in real time, confirms when the attacker's access has actually been cut off and only releases recovery when the environment is clean. It is this continuous monitoring that turns a reaction in the dark into a controlled response.
Cada minuto conta. Comece o diagnóstico gratuito agora e veja o que já vazou.
Comece pelo diagnóstico gratuito agora e veja em minutos o que já vazou. SOC 24x7 e contenção em até 1h nos planos pagos.
Real-time containment: where to cut off the attacker's access
The three most effective choke points in an active attack are identity, remote access and segmentation. Identity because most advanced attacks use stolen legitimate credentials, so blocking privileged accounts, revoking sessions and forcing MFA drops the intruder from within the very mechanism they use to look like a normal user. Start with Active Directory and the cloud identity provider, which are the heart of access.
Remote access because VPN, RDP, SSH and remote support tools are the attacker's entry door and return channel. Dropping the VPN concentrator, closing internet-exposed RDP and blocking AnyDesk and TeamViewer at the firewall cuts off the way back. Segmentation because, once inside, the intruder moves laterally, and isolating critical servers, backups and workstations into separate segments, blocking SMB and RDP between them, turns an incident that could take down the entire company into a confined problem.
Each of these actions must be done in the right order and validated, otherwise you warn the attacker without actually expelling them. That is why containment in an active attack is where it most pays off to have someone experienced at your side: Decripte connects your environment to our SOC and executes containment together with your team, validating in real time that each closed door stayed closed. Engage us at decripte.com.br/contato and the clock on our 1-hour SLA starts running.
War room, crisis communication and legal obligations
Incident response is not only technical. Set up a war room bringing together IT and security, leadership, legal and communications in a single channel outside the compromised network. Designate a coordinator, record every decision with a timestamp and centralize the information, so no one takes parallel actions that get in the way of each other. This record is also what supports the legal notifications and the conversation with the insurer and customers afterward.
Crisis communication must be deliberate. Internally, restrict information to those who need to act, because a broad notice on a compromised network alerts the attacker. Externally, do not confirm anything before understanding the scope, but have drafts ready for customers, partners and the press, with honest messages and no promises you cannot keep. Total silence also erodes trust; the balance is transparency at the right time.
In Brazil, the deadlines are concrete. If there is an incident with personal data that may generate relevant risk to data subjects, notification to the ANPD must occur within 3 business days from awareness of the incident, under Resolution CD/ANPD No. 15/2024, and the affected data subjects must also be notified. In Pix fraud, engage the bank immediately to use the MED (Special Return Mechanism), whose window is short, and file a police report. These deadlines run from the moment you become aware, that is, now, so record the time of detection from the start.
Precisa conter o incidente agora? Comece de graça e ative a resposta 24x7.
Comece pelo diagnóstico gratuito agora e veja em minutos o que já vazou. SOC 24x7 e contenção em até 1h nos planos pagos.
After containing: eradicate, recover and prevent it from happening again
Containment stops the bleeding, but does not cure. After cutting off the attacker's access, comes eradication: identify and remove all malware, webshells, backdoors, malicious scheduled tasks and accounts created by the intruder. This is where the forensic analysis done at the start pays off, because without knowing how they got in and what they touched, you never know for sure that you cleaned everything. Restoring without eradicating is the most common path to being attacked again within days.
Recovery must be gradual and monitored. Restore from backups proven to be clean, rebuild critical machines from scratch when in doubt, rotate all credentials and return systems to production in stages, watching the telemetry to detect any sign of the attacker's return. Only declare the incident closed when the environment goes through a period under monitoring with no anomalous activity.
Finally, the lessons learned. Every incident reveals how the attacker got in, and almost always the vector was already visible before: a leaked credential, an exposed domain, a service open on the internet. That is why Decripte offers a free Threat Management plan, the Decripte Intelligence Center, which monitors credential leaks, dark web exposure and your domain's reputation, with no credit card and no technical team needed. Start at decripte.com.br/intelligence-center to see your exposure before it becomes the next incident.
Obrigações legais (Brasil)
In Brazil, security incidents involving personal data that may generate relevant risk to data subjects require notification to the ANPD within 3 business days from awareness, under Resolution CD/ANPD No. 15/2024, in addition to notice to the affected data subjects. In Pix fraud, engage the bank immediately to use the MED (Special Return Mechanism), whose window is short, and file a police report. These deadlines run from the moment of awareness of the incident, so record the time of detection from the start. These rules and deadlines (ANPD/LGPD) are Brazilian.
Termos importantes
- Containment
- The phase of incident response that stops the ongoing attack: isolating machines and network segments, cutting off remote access and blocking accounts, preventing the intruder from spreading or causing more damage while the investigation advances.
- Lateral movement
- A technique in which the attacker, after compromising an initial point, moves within the network to reach other systems, servers and more valuable data, usually using stolen credentials and services such as SMB and RDP.
- War room
- A crisis-management room (physical or virtual) that brings together, in a single channel outside the compromised network, those responsible for IT, security, legal, communications and leadership to coordinate the incident response in real time.
- MED (Special Return Mechanism)
- A Pix system feature that allows the bank to block and attempt to return funds from transactions involving fraud or operational failure. It has a short trigger window, which is why immediate contact with the bank is decisive.
- 24x7 SOC
- A Security Operations Center that monitors and responds to threats 24 hours a day, 7 days a week. Decripte's SOC supports Incident Response with a containment SLA of up to 1 hour.
- Notification to the ANPD
- The legal obligation to notify the National Data Protection Authority of security incidents with personal data that may generate relevant risk to data subjects, within 3 business days from awareness, under Resolution CD/ANPD No. 15/2024.
Perguntas frequentes
My company is being attacked right now, what is the first thing I should do?
Isolate the compromised equipment from the network (unplug the cable or disable the interface) without shutting it down, cut off VPN and remote access and engage Incident Response. Decripte has a 24x7 SOC with a containment SLA of up to 1 hour: engage us at decripte.com.br/contato and we start containing with you in real time, preventing you from destroying evidence by mistake.
Should I turn off the computers to stop the attack?
No. Shutting down or rebooting erases the volatile memory, the active processes and the attacker's keys, destroying evidence essential to understanding the scope and to your legal defense. The right move is to isolate from the network without shutting down: unplug the cable, disable Wi-Fi or block the port on the switch, keeping the machine powered on.
How do I know if the attacker is still inside the network or if the attack is already over?
In practice, assume they are still inside until proven otherwise. Signs of an active attack include files being encrypted in real time, anomalous administrative logins, creation of new accounts and suspicious outbound traffic. Only an analysis of the telemetry confirms whether access has been cut off. Decripte makes that diagnosis together with you and validates when the environment is actually clean.
I had a data leak, do I have to notify the ANPD? Within what timeframe?
Yes, if the incident involved personal data and may generate relevant risk to data subjects. Notification to the ANPD must occur within 3 business days from awareness of the incident, under Resolution CD/ANPD No. 15/2024, and the affected data subjects must also be notified. The deadline counts from the moment you become aware, so record the time of detection right away.
We fell for a scam and money went out via Pix, is it possible to recover it?
There is a chance if you act fast. Contact the bank immediately to trigger the MED (Special Return Mechanism), which allows blocking and attempting to return funds from fraudulent transactions, but the window is short. Also file a police report. The sooner you notify the bank, the greater the likelihood that the funds are blocked before being withdrawn.
Should I pay the ransomware ransom?
Do not decide that alone or on impulse. Paying does not guarantee data recovery, funds the crime and may have legal implications. Before any contact with the attacker, involve an Incident Response team and legal, check whether there are clean backups and assess the real scope. Recovery from an intact backup is often viable without paying anything.
My company is small and has no security team, what do I do during an attack?
You do not have to face this alone. Do the basic containment (isolate machines without shutting them down, cut off VPN, change administrator passwords) and immediately engage 24/7 Incident Response. Decripte serves companies of all sizes with a 24x7 SOC and a 1-hour SLA at decripte.com.br/contato, running the technical response for you in real time.
How do I find out if my credentials or data were already exposed before the attack?
Almost every attack starts with a prior exposure: a leaked credential, an exposed domain or an open service. Decripte offers a free Threat Management plan (Decripte Intelligence Center) that monitors credential leaks, dark web exposure and your domain's reputation, with no credit card and no technical team. Start at decripte.com.br/intelligence-center to see your exposure and prevent the next incident.
Incidente em andamento?
Comece agora pelo diagnóstico gratuito — e ative SOC 24/7 e resposta a incidentes nos planos pagos.
Veja em minutos o que já vazou da sua empresa. Quando precisar, a Decripte assume a contenção, a investigação forense e a recuperação do ambiente com SLA de contenção de 1 hora.
