Cyber Incident Response Guide

Think you have been hacked?

Under a ransomware attack or suspect a breach? Sautech provides ransomware attack help and cyber incident response guidance — your actions in the first few minutes are critical.

If you suspect that your computer, server, Microsoft 365 account, email system, website or network has been compromised, the wrong action can destroy evidence, spread the attack further or make recovery more difficult.

Isolate affected systems, preserve evidence and contact a specialist immediately.

+27 11 768 1790

Do Not

Avoid these — they make things worse

Do not reboot the device

A restart can remove valuable evidence that may help identify the attacker and determine how the breach occurred.

Do not shut down servers

Unless instructed by a cyber security specialist, shutting down systems can interrupt investigations and business recovery efforts.

Do not format or reinstall

Reinstalling Windows, wiping disks or restoring backups without understanding the attack may allow the threat to return.

Do not delete suspicious files

Files that appear malicious may contain evidence required to determine the source and extent of the compromise.

Do not continue working

Using an infected device may spread malware, encrypt additional data or expose more information.

Do not pay a ransom

There is no guarantee that cyber criminals will restore your data or stop future attacks.

Do not ignore the problem

Many attacks remain active for days or weeks if not investigated immediately.

Take these steps — in order

Step 1

Disconnect from the network

Remove the network cable or disconnect Wi-Fi if it can be done safely. This helps prevent:

Data theft
Malware spreading
Additional encryption
Remote attacker access

Step 2

Leave the device powered on

Keep affected devices running unless specifically instructed otherwise by a cyber security specialist.

Step 3

Document what happened

Screenshots are extremely valuable. Record:

Time of discovery
Error messages
Unusual popups
User actions before the incident
Systems affected

Step 4

Identify affected systems

Determine whether the incident involves:

A single workstation
Multiple users
Servers
Email accounts
Cloud services
Websites

Step 5

Change passwords from a clean device

If account compromise is suspected, only do this from a device known to be safe:

Microsoft 365
Email accounts
VPN accounts
Administrative accounts
Banking systems

Step 6

Notify management

Inform the appropriate management team immediately.

Step 7

Contact Sautech

Our cyber security team can assist with:

Incident containment
Threat analysis
Malware investigations
Ransomware response
Microsoft 365 compromise investigations
Network security reviews
Recovery planning

Common Warning Signs

You may be experiencing a cyber incident if…

Files suddenly become inaccessible

File extensions change unexpectedly

Antivirus alerts appear repeatedly

Unknown software is installed

Users are locked out of accounts

Microsoft 365 logins from foreign countries

Emails sent without your knowledge

Systems become unusually slow

Websites are defaced or unavailable

Multiple users report the same issue

Emergency Response Checklist

Six steps, in order

Disconnect affected systems from the network.

Do not reboot or format devices.

Take screenshots of any suspicious activity.

Record what happened and when.

Contact your IT team or Sautech immediately.

Allow specialists to investigate before attempting recovery.

Remember

The first response to a cyber incident often determines how much data can be recovered, how quickly systems can be restored and whether evidence can be preserved.

If in doubt, stop, isolate and call for assistance.

Engage Our Team Immediately

Facing an incident right now?

Isolate the affected systems, preserve the evidence and get our cyber security team engaged. The sooner we respond, the more we can recover.

+27 11 768 1790 WhatsApp Us