Emergency guide · Ransomware · IR 24·7·365

Ransomware attack: what to do in the first minutes.

A hit company has little time and irreversible decisions to make. The golden rule: isolate without shutting down, do not pay on impulse, activate incident response. The Fortgale European SOC supports the response 24·7·365, from containment to notifications.

Do not payThe ransom guarantees nothing
Isolate, do not shut downRAM is evidence
<30 minMedian IR containment
IR standards
ISO/IEC 27001
MITRE ATT&CK
NIST IR
Notifications
National CSIRT · NIS2
Supervisory authority · GDPR art. 33
No More Ransom
The first 60 minutes

What to do now, in order.

The actions that reduce the damage and preserve the evidence needed to understand what happened and what was exfiltrated.

01 ·

Isolate, do not shut down

Disconnect the affected systems from the network (cable, Wi-Fi, segmentation) without powering them off: volatile memory holds evidence on the attacker and on what was touched.

02 ·

Activate incident response

Call the IR team: containment, eradication, reconstruction of the attack chain. The Fortgale European SOC is operational 24·7·365, median containment <30 min.

03 ·

Assess backups, not the ransom

Verify intact and isolated backups before considering any payment. A free decryptor often already exists (No More Ransom). Paying guarantees neither data nor silence.

The decisive question

Pay the ransom? Almost never the answer.

Payment does not guarantee recovery, does not guarantee the deletion of exfiltrated copies, funds the criminal ecosystem and may create regulatory exposure. First: backups, decryptor, incident response.

After containment · the notifications

Two distinct obligations, often together.

A ransomware case with personal data exfiltration triggers both notifications. They are different procedures, with different authorities and deadlines.

NIS2 ·

Notification to the national CSIRT

For essential and important entities: early warning 24 hours, notification 72 hours, final report 30 days. See NIS2 explained.

GDPR ·

Notification to the supervisory authority

If personal data is involved: notification within 72 hours (art. 33) and communication to data subjects if the risk is high. See data breach notification.

Technical ·

The forensic work

Establishing which data was actually exfiltrated and collecting the evidence the notifications require: the technical side of digital forensics in incident response.

22Countries covered
3Continents
287Tools and actors profiled
<30 minMedian containment
24·7·365European SOC
Real case · ransomware prevented

In Operation Storming Tide the Fortgale team contained a multi-stage intrusion (actor Mora_001, chain Matanbuchus 3.0 → Astarion → SystemBC): RClone exfiltration and ransomware prevented by containment.

Read the analysis →
FAQ · ransomware attack

The questions in the critical moments.

Should I pay the ransom?

Paying does not guarantee data recovery or the deletion of exfiltrated copies, it funds the criminal group and may constitute a breach. First: isolate, assess backups, activate incident response. Sometimes the decryptor is already free on No More Ransom.

Should I shut down the affected PCs?

No. Isolate them from the network without powering them off: shutting down destroys the evidence in memory (RAM) needed to reconstruct the attack and understand which data was exfiltrated.

Who do I have to notify?

Management and IT internally. Externally: national CSIRT within 24h if you are a NIS2 entity, and the supervisory authority within 72h if personal data is involved. They are distinct notifications: see NIS2 explained and data breach notification.

Can I recover the data without paying?

Often yes, with intact and isolated backups or a free decryptor where one exists. The IR team first verifies that the attackers have been eradicated, to avoid re-encryption after restore.

How fast can incident response start?

The Fortgale IR team is operational 24·7·365 with a European SOC: immediate support from the call, median containment <30 min, support for the CSIRT notification and evidence collection for the supervisory authority.

Under attack or want to prepare?

A ransomware emergency is managed in minutes.

If the attack is under way, call the IR hotline. If you want to prepare, talk to our analysts: containment, runbooks and notification support, with a European SOC in your time zone.

Response time: < 1 business day.