Resposta a Incidentes 24/7 · Ransomware

Ransomware hit your company? Act now, in the right order

O que fazer agora

Immediately isolate every affected machine from the network (remove the cable, turn off Wi-Fi and cut access to the backups), but do NOT shut down, reboot or format the equipment: the live memory and the artifacts on disk are essential for forensics and to try to recover data without paying. Do not pay the ransom on impulse, as there is no guarantee of return, payment funds the crime and can create legal exposure. Preserve the ransom note and samples of encrypted files to identify the variant and check whether a free public decryptor exists. Before any irreversible action, engage Decripte's 24/7 Incident Response through /contato, with containment within 1 hour.

SOC 24x7 e SLA de contenção de até 1 hora. A Decripte é especialista em resposta a incidentes para fintechs, crypto, apps, e-commerces e empresas de todos os tamanhos.

Sinais de alerta

  • Files with strange, new extensions (for example .locked, .encrypted or random ones) that no longer open.
  • A ransom note in text or HTML appearing in several folders, on the desktop or as wallpaper.
  • Systems, ERPs and network shares suddenly inaccessible or slow across the whole company.
  • Backups, shadow copies or restore points deleted or inaccessible.
  • Antivirus or EDR alerts about processes suspected of mass encryption shortly before the outage.
  • Administrative logins outside business hours, unknown new accounts or abnormal outbound traffic indicating exfiltration.
  • An extortion message citing stolen data and threatening a leak, a sign of double extortion.

Primeiros passos — o que fazer agora

  1. 1

    Isolate the machines, without shutting down

    Disconnect the infected equipment from the network: remove the cable, disable Wi-Fi and block access to shared folders, NAS and cloud. Do not shut down or reboot: RAM contains keys and clues that vanish on restart.

  2. 2

    Protect the backups before the ransomware reaches them

    Disconnect the backups from the network, physically or logically, immediately. Many ransomware strains seek out and encrypt online backups first. If there is an immutable or offline copy, do not yet connect it to a possibly compromised environment.

  3. 3

    Do not pay the ransom on impulse

    Payment does not guarantee the return of the data, funds organized crime and can expose the company to liability. There are cases of defective decryptors and of new extortion after payment. Decide with forensic and legal support, never alone and under panic.

  4. 4

    Preserve the ransom note and samples

    Photograph the screen with the ransom note and keep the note file and a few sample encrypted files on separate media. These artifacts allow the variant to be identified in services such as ID Ransomware and No More Ransom and to assess whether a public decryptor exists.

  5. 5

    Engage Decripte's 24/7 Incident Response

    Through /contato, open an active-incident ticket. The SOC steps in with containment within 1 hour, guides the preservation of evidence and leads the forensics to prevent you from burning proof or destroying the only chance to recover data.

  6. 6

    Map the reach and check for exfiltration

    Identify which servers, workstations and accounts were touched and check for signs of exfiltration (anomalous outbound traffic, compression tools, mention of a leak in the note). Double extortion means your data may have been stolen before being encrypted.

  7. 7

    Assess the legal notification obligations

    If personal data was affected, notification to the ANPD must occur within 3 business days from awareness (Resolution CD/ANPD No. 15/2024), in addition to notice to the data subjects. If there is Pix fraud, notify the bank right away (MED) and file a police report. Document timestamps and actions from the first sign.

  8. 8

    Only restore after eradication

    Restoring from backup onto a still-compromised network reinfects everything. Eradicating the attacker's access, changing credentials and validating the backup's integrity come before turning systems back on. Restore from an immutable or offline copy following the 3-2-1 rule.

O que NÃO fazer

  • Do not shut down or reboot the affected machines: you erase the volatile memory with keys and evidence that could help recover data and investigate.
  • Do not format or reinstall the system before forensics: it is the definitive destruction of evidence and of the chance for a decryptor to work.
  • Do not pay the ransom on your own: with no guarantee of return, it funds the crime and can create liability; decide with forensic and legal support.
  • Do not restore a backup onto a still-compromised network: the ransomware re-encrypts everything within minutes if the attacker still has access.
  • Do not connect the immutable or offline backup to infected machines to check it: you risk contaminating your only recovery path.
  • Do not notify only internally and hide the incident: beyond the operational risk, the delay may breach the 3-business-day deadline to notify the ANPD when personal data is affected.

The first 60 minutes: containment without destroying evidence

The instinct to shut down or format the machine is exactly what harms recovery the most. The real priority is to contain propagation by isolating the equipment from the network, without losing the machine's state. Remove the network cable, disable Wi-Fi and segregate the affected VLAN, keeping the equipment powered on. RAM may contain encryption keys, ransomware processes and indicators that forensics uses to understand the attack and, in some cases, even recover data without paying.

In parallel, immediately protect the backups, because modern ransomware actively seeks them out. Disconnect the backup destinations from the network and do not mount backup volumes on suspicious machines. This is the moment to engage Decripte's 24/7 Incident Response through /contato: the SOC takes on containment with an SLA of up to 1 hour and guides each step so the company does not, unwittingly, burn its best chance of recovery.

Why not to pay the ransom (and the real nuances)

Paying does not buy certainty. In many cases the decryptor delivered is slow, incomplete or simply does not work, and there are records of victims who paid and were extorted again. Every payment also directly funds organized crime and strengthens the ransomware-as-a-service business model, fueling the next attacks. Depending on who is behind the operation, payment may also expose the company to legal and sanction risks.

This does not mean ignoring the pressure of the deadline the criminals impose. It means turning a panic decision into an informed one: identify the variant, check whether there is a free public decryptor, assess the health of the backups and measure the real impact before considering any negotiation. This assessment must be done with forensic and legal support, and it is precisely what the Incident Response team leads at your side, without you having to face the attackers alone.

Resposta a Incidentes · 24/7

Cada minuto conta. Comece o diagnóstico gratuito agora e veja o que já vazou.

Comece pelo diagnóstico gratuito agora e veja em minutos o que já vazou. SOC 24x7 e contenção em até 1h nos planos pagos.

Identify the variant and look for a decryptor

Not all ransomware is irreversible. Some families have known flaws or had their keys recovered by task forces, and for them free public decryptors exist. To find out, you need to identify the variant, and that is why the ransom note and samples of encrypted files are so valuable. Services like ID Ransomware help recognize the family from these artifacts, and the No More Ransom project gathers decryption tools maintained by authorities and security companies.

That is why preservation comes before any cleanup attempt. Photograph the note, keep the note file and a set of sample encrypted files on separate, safe media. Even when no decryptor is available today, keeping the samples intact leaves the door open: keys and tools for specific variants often appear months later. Formatting or reinstalling destroys that possibility forever.

Ransomware is no longer only about encryption. In double extortion, the attacker steals the data before encrypting it and threatens to leak customer information, contracts and personal data if the company does not pay. That is why the analysis must check for signs of exfiltration: anomalous outbound traffic, use of compression and transfer tools, and explicit mentions of a leak in the ransom note. Treating the case only as a backup problem may hide an ongoing data leak.

When personal data is involved, legal duties with a short deadline arise. In Brazil, notification of the incident to the ANPD must occur within 3 business days from awareness, under Resolution CD/ANPD No. 15/2024, in addition to notice to the affected data subjects. If the attack comes with Pix fraud, immediate contact with the bank to trigger the MED and the filing of a police report also enter the timeline. Decripte supports both the forensics and the structuring of that notification, so the technical and legal responses move together.

Resposta a Incidentes · 24/7

Precisa conter o incidente agora? Comece de graça e ative a resposta 24x7.

Comece pelo diagnóstico gratuito agora e veja em minutos o que já vazou. SOC 24x7 e contenção em até 1h nos planos pagos.

Eradicate and recover safely, in the right order

Turning systems back on too early is the most common way to be attacked twice in the same week. Restoring a backup onto a network where the attacker still has access, with compromised accounts still valid and the entry door still open, only gives them new files to encrypt. Eradication comes first: identify and close the initial vector, remove persistence, change all credentials and invalidate sessions and tokens.

Only then comes recovery, ideally from an immutable or offline copy, following the 3-2-1 rule (three copies of the data, on two types of media, with one copy outside the environment). Restore in stages, validating integrity and monitoring for reinfection, and prioritize the systems most critical to the business. After everything is stabilized comes the lessons learned: closing the gaps that allowed the breach, improving detection and testing the backups. This complete cycle, from containment to prevention, is what Decripte operates 24x7 for companies of all sizes.

After the fire is under control: discover what is still exposed

Almost every ransomware attack starts with something that was already exposed: a leaked credential, an open remote access, a domain being used in phishing. After recovery, the most valuable work is to see that risk surface before the next attacker uses it. That is why Decripte offers a free Threat Management plan, the Decripte Intelligence Center, which monitors credential leaks, dark web exposure and your domain's reputation.

It is a starting point with no credit card and no need for a technical team, available at https://decripte.com.br/intelligence-center, that helps turn the incident into a concrete prevention plan. For those who need continuous coverage, the paid plans add 24x7 SOC, Incident Response, Pentest, Vulnerability Management and Compliance (LGPD and ISO 27001). The goal is simple: that the next call to Decripte is to prevent, and not to put out a fire.

Obrigações legais (Brasil)

When the attack involves personal data, notification to the ANPD must occur within 3 business days from awareness of the incident (Resolution CD/ANPD No. 15/2024), with notice also to the affected data subjects. If there is Pix fraud, notify the bank immediately to trigger the MED (Special Return Mechanism), whose window is short. File a police report and document the incident timeline from the first sign. Paying a ransom, besides not guaranteeing the return, can create legal exposure and must be assessed with legal support. These rules and deadlines (ANPD/LGPD) are Brazilian.

Termos importantes

Ransomware
Malicious software that encrypts the victim's files and systems and demands a ransom payment to release access. Modern versions also steal data before encrypting.
Double extortion
A tactic in which the attacker exfiltrates (steals) the data before encrypting it and threatens to leak it publicly if the ransom is not paid, adding leak blackmail to the unavailability.
Decryptor
A tool capable of reversing the encryption of a specific ransomware variant. For some families free public decryptors exist, such as those gathered by the No More Ransom project.
Immutable backup
A backup copy that cannot be altered or deleted during a defined period, even by administrators or malware, which protects it from ransomware encryption.
3-2-1 rule
A backup best practice: keep at least three copies of the data, on two different types of media, with at least one copy stored outside the environment (offline or in another location).
MED (Special Return Mechanism)
A Pix tool that allows a financial institution to attempt to block and return funds in cases of fraud or operational failure. The window to trigger it is short, which is why contact with the bank must be immediate.

Perguntas frequentes

I just saw the ransom note, should I turn off the computer now?

Do not shut down or reboot. Isolate the machine from the network by removing the cable and disabling Wi-Fi, but keep the equipment powered on. Shutting down erases the volatile memory, which may contain encryption keys and evidence used in forensics and in possible attempts to recover data without paying.

Should I pay the ransom to recover my files quickly?

Paying does not guarantee the return of the data, funds the crime and can create legal exposure. There are cases of decryptors that do not work and of new extortion after payment. Before considering paying, identify the variant, check whether a free public decryptor exists and assess the backups, always with forensic and legal support.

Is there any way to decrypt without paying?

Sometimes yes. Some variants have free public decryptors, maintained by projects like No More Ransom. To find out, you need to identify the ransomware family using the ransom note and samples of encrypted files, for example in ID Ransomware. That is why you should never format before analysis.

How do I know if the criminals stole my data, and not just encrypted it?

Modern ransomware often practices double extortion: it steals the data before encrypting. Look for signs of exfiltration, such as anomalous outbound traffic, transfer tools and leak threats in the note. Forensic analysis confirms the reach and indicates whether there was a leak of personal data, which changes your legal obligations.

Do I need to notify the ANPD and the customers about the attack?

If personal data was affected, yes. Notification to the ANPD must occur within 3 business days from awareness of the incident, under Resolution CD/ANPD No. 15/2024, in addition to notice to the affected data subjects. File a police report and document the timeline. Decripte supports the structuring of that notification.

Can I restore my backups now to get back to operating?

Not yet, if the network is still compromised. Restoring with the attacker still inside makes everything get encrypted again. First you need to eradicate the access, change credentials and close the entry vector. Then restore from an immutable or offline copy, validating integrity, following the 3-2-1 rule.

My company is small, does Decripte serve it anyway?

Yes. Decripte serves companies of all sizes, from startups and e-commerces to fintechs and exchanges. 24/7 Incident Response is available through /contato with containment within 1 hour, and there is a free Threat Management plan at https://decripte.com.br/intelligence-center to monitor exposure and prevent the next attack.

How long does Decripte take to start containing the attack?

Incident Response operates 24x7 with a containment SLA of up to 1 hour. When you open the ticket through /contato, the team starts the isolation and the evidence-preservation guidance immediately, leading the forensics to avoid irreversible actions and maximize the chance of recovering the data.

Incidente em andamento?

Comece agora pelo diagnóstico gratuito — e ative SOC 24/7 e resposta a incidentes nos planos pagos.

Veja em minutos o que já vazou da sua empresa. Quando precisar, a Decripte assume a contenção, a investigação forense e a recuperação do ambiente com SLA de contenção de 1 hora.