0–30 minutes: contain
- Disconnect affected devices from Wi‑Fi/Ethernet (don’t power off unless advised).
- Disable suspicious accounts and reset admin credentials (use MFA).
- Stop the spread: isolate servers/shared drives if ransomware is suspected.
30–120 minutes: assess + preserve evidence
- Document what happened, when, and which systems are impacted.
- Preserve logs/emails/screenshots. Avoid wiping devices.
2–24 hours: recover safely
- Restore from known-good backups (test restores first).
- Patch vulnerabilities and rotate credentials.
- Enable stronger baselines: MFA, device security, backup monitoring.
Related reading
Reduce future incidents with proactive support: Why Managed IT Services Save You Money Long Term.
Need urgent help?
If you suspect ransomware or account compromise, contact us. We’ll help contain, recover, and harden your environment.