Isolate, do not shut down
Disconnect the affected systems from the network (cable, Wi-Fi, segmentation) without powering them off: volatile memory holds evidence on the attacker and on what was touched.
A hit company has little time and irreversible decisions to make. The golden rule: isolate without shutting down, do not pay on impulse, activate incident response. The Fortgale European SOC supports the response 24·7·365, from containment to notifications.
The actions that reduce the damage and preserve the evidence needed to understand what happened and what was exfiltrated.
Disconnect the affected systems from the network (cable, Wi-Fi, segmentation) without powering them off: volatile memory holds evidence on the attacker and on what was touched.
Call the IR team: containment, eradication, reconstruction of the attack chain. The Fortgale European SOC is operational 24·7·365, median containment <30 min.
Verify intact and isolated backups before considering any payment. A free decryptor often already exists (No More Ransom). Paying guarantees neither data nor silence.
Payment does not guarantee recovery, does not guarantee the deletion of exfiltrated copies, funds the criminal ecosystem and may create regulatory exposure. First: backups, decryptor, incident response.
A ransomware case with personal data exfiltration triggers both notifications. They are different procedures, with different authorities and deadlines.
For essential and important entities: early warning 24 hours, notification 72 hours, final report 30 days. See NIS2 explained.
If personal data is involved: notification within 72 hours (art. 33) and communication to data subjects if the risk is high. See data breach notification.
Establishing which data was actually exfiltrated and collecting the evidence the notifications require: the technical side of digital forensics in incident response.
In Operation Storming Tide the Fortgale team contained a multi-stage intrusion (actor Mora_001, chain Matanbuchus 3.0 → Astarion → SystemBC): RClone exfiltration and ransomware prevented by containment.
Read the analysis →Paying does not guarantee data recovery or the deletion of exfiltrated copies, it funds the criminal group and may constitute a breach. First: isolate, assess backups, activate incident response. Sometimes the decryptor is already free on No More Ransom.
No. Isolate them from the network without powering them off: shutting down destroys the evidence in memory (RAM) needed to reconstruct the attack and understand which data was exfiltrated.
Management and IT internally. Externally: national CSIRT within 24h if you are a NIS2 entity, and the supervisory authority within 72h if personal data is involved. They are distinct notifications: see NIS2 explained and data breach notification.
Often yes, with intact and isolated backups or a free decryptor where one exists. The IR team first verifies that the attackers have been eradicated, to avoid re-encryption after restore.
The Fortgale IR team is operational 24·7·365 with a European SOC: immediate support from the call, median containment <30 min, support for the CSIRT notification and evidence collection for the supervisory authority.
This page explains what to do. The two operational steps: activate the response if the attack is under way, build the outpost so it does not happen again.
IR hotline 24·7·365: operational response in 30 min, median containment <30 min, support for CSIRT notification within 24h NIS2.
Activate the Emergency →The European SOC intercepts the attacker in the first four stages, within the 21-day dwell time, before they touch data or backups.
Discover protection →Continuous monitoring, triage and response across the ransomware groups active in Europe. The outpost that makes incidents rare.
Discover SOC →If the attack is under way, call the IR hotline. If you want to prepare, talk to our analysts: containment, runbooks and notification support, with a European SOC in your time zone.
No nurturing sequences, no auto-replies. One of our analysts calls you back within one business day.
The full Report (executive summary · operational IoCs · technical runbook) is restricted. Share two details and one of our analysts contacts you with access and a short technical briefing.
Response in 30 minutes, containment in 1–4 hours. Even if you are not a Fortgale customer.