We Got Hit by Ransomware, What Do We Do? Step by Step Emergency Response
Quick answer: A ransom note on screen, changed file extensions, files won't open? Stay calm and act in order, the first hours decide both data loss and legal exposure. In short: isolate affected systems from the network, do not power off and destroy evidence, do not pay immediately, document the incident and call an expert. DSET runs incident response and recovery with one team. 24/7 line: +90 536 662 38 09.
First 60 minutes, do now
- Isolate affected systems from the network. Pull the cable or disable Wi-Fi so encryption does not spread to other machines and network shares, but do not power off, RAM may hold useful keys and traces.
- Stop the spread. Temporarily pause shared drives, backup servers and cloud sync, ransomware can encrypt those too.
- Document the incident. Photograph the note, record the time noticed, affected systems and the new file extension, needed for response and legal steps.
- Call an expert, see the IR playbook and first 24 hours.
Do not
| Do not | Why |
|---|---|
| Pay immediately | No guarantee, funds crime, repeat target (CISA/FBI advise not to) |
| Format the system | Destroys evidence and recovery chance |
| Try random decryptors | Wrong tool can corrupt files permanently |
| Rush to connect backups | A backup on an infected system gets encrypted too |
KVKK 72 hours
If personal data leaked or became inaccessible, a 72 hour notice to the Board may apply, see the template.
Will data come back?
With an offline backup, clean and restore. Without, some strains allow decryption and deleted, not overwritten data may partly return via recovery. Estimate with the damage tool. To prevent recurrence see the ransomware solution.
Why DSET
Since 2003, response and recovery by one team, no time lost between vendors, evidence preserved.
FAQ
One sentence, what now? Disconnect the machine from the network (do not power off), photograph the note, call us. Power off? No, isolate instead, powering off can destroy RAM traces. Will paying restore data? No guarantee, focus on response and recovery.
Emergency response now: +90 536 662 38 09.