GET EMERGENCY HELP NOW!
Are you currently experiencing a data breach or ransomware attack? Call Us Now!
We are available 24/7
If you are not currently under attack,
bookmark this page and save our
emergency number: 866-952-9372 extension 9
bookmark this page and save our
emergency number: 866-952-9372 extension 9

Acting quickly in response to a data breach is crucial to prevent further damage and minimize the impact on affected individuals and organizations. The first steps you take and how quickly you take them will drastically alter the level of success you have in recovering from the attack.

Take These Steps Immediately Before Doing Anything Else
PHASE 1: STOP, breathe, and analyze the situation
- DO NOT communicate with the attacker regardless of the threats they pose or offers they make. Time is your only advantage and keeping the attacker in the dark will buy you valuable time.
- Record all details of the communication from the attacker, including the message on the affected machine(s), any emails received and sent, and any .TXT files. DO NOT click any links or download any attachments.
- Send all details to your in-house or outsourced IT team, and your 3rd party cybersecurity services provider like 13 Layers.
- Call the 13 Layers team on our emergency response line at 866-952-9372 extension 9
PHASE 2: Detection and Containment
Isolate the affected system(s) to prevent the malicious traffic or malware from spreading to other systems.
- Disconnect the infected devices from the network and disable any wireless connectivity, such as Wi-Fi and Bluetooth.
- DO NOT power them down to retain any necessary artifacts or evidence that our forensics may need.
- If several systems or subnets are affected, take that segment off the network at the switch level. If that is not possible, disconnect each individual system from the switch itself.
- After an initial compromise, malicious actors may monitor an organization’s activity to assess whether they have been detected. It’s important to isolate systems in a coordinated manner and use off-network communication methods like cell phones that aren’t connected to wifi and in-person meetings to avoid alerting the attackers. Failure to do so could cause even more problems.
- If your IT team is struggling with these steps, be sure to engage our Emergency Response Team immediately via phone at 866-952-9372 extension 9
PHASE 3 – Protecting existing systems
If you’re experiencing an active ransomware attack, there are further steps you need to take to contain the attack.
- If you have online backups, consider disconnecting them from the network until you are sure the infection is contained.
- Suspend privileged and local accounts that you suspect are part of the attack.
- Stop any remote login sessions.
- Reset any compromised user accounts, including any shared local accounts and request the user to login again and activate any two-factor or multi-factor authentication. If you don’t do this, the attacker may still have persistent access to the token behind the user credentials and a password reset will be useless.
PHASE 4 – Notify staff and stakeholders
If your organization’s email has been compromised (referred to as a a Man-In-The-Middle attack), notifying employees via an all hands meeting or via cell phone or text message is advised to avoid tipping off the attackers.
- Notify staff to prevent users from logging into any impacted systems.
- Notify the executive team and implement your existing incident response plan. If you don’t have one, immediately engage our Emergency Response Team via phone at 866-952-9372 extension 9
PHASE 5 – Request specialized help
- Engage a professional cybersecurity incident response firm with an in-house Emergency Response Team like 13 Layers. Local IT companies do not have this capability.
- Contact your local FBI or US Secret Service field office. Only do this if you don’t have access to a firm like 13 Layers that has direct internal connections with the FBI, NSA and CISA.
- Find a local FBI field office: https://www.fbi.gov/contact-us/field-offices
- Find a local US Secret Service field office: https://www.secretservice.gov/contact/field-offices
PHASE 6 – 13 Layers to the rescue!
- The moment we pick up your phone call, we go to work for you. We recommend calling us at the beginning of Phase 1 above or at any other point as every minute counts.
- We will immediately build out a custom threatINTELLIGENCE appliance and ship it to your location within 48 hours of our phone call. Once threatINTELLIGENCE is in place, that entire segment of the network will be isolated and protected.
- We will then continue to lead you through the above process regardless of what point you are at to:
- Isolate and contain the infection
- Identify the source
- NOT pay the ransom
- Recover as much data as possible.
- Prevent this from ever happening again
Phase 1
PHASE 1: STOP, breathe, and analyze the situation
- DO NOT communicate with the attacker regardless of the threats they pose or offers they make. Time is your only advantage and keeping the attacker in the dark will buy you valuable time.
- Record all details of the communication from the attacker, including the message on the affected machine(s), any emails received and sent, and any .TXT files. DO NOT click any links or download any attachments.
- Send all details to your in-house or outsourced IT team, and your 3rd party cybersecurity services provider like 13 Layers.
- Call the 13 Layers team on our emergency response line at 866-952-9372 extension 9
Phase 2
PHASE 2: Detection and Containment
Isolate the affected system(s) to prevent the malicious traffic or malware from spreading to other systems.
- Disconnect the infected devices from the network and disable any wireless connectivity, such as Wi-Fi and Bluetooth.
- DO NOT power them down to retain any necessary artifacts or evidence that our forensics may need.
- If several systems or subnets are affected, take that segment off the network at the switch level. If that is not possible, disconnect each individual system from the switch itself.
- After an initial compromise, malicious actors may monitor an organization’s activity to assess whether they have been detected. It’s important to isolate systems in a coordinated manner and use off-network communication methods like cell phones that aren’t connected to wifi and in-person meetings to avoid alerting the attackers. Failure to do so could cause even more problems.
- If your IT team is struggling with these steps, be sure to engage our Emergency Response Team immediately via phone at 866-952-9372 extension 9
Phase 3
PHASE 3 – Protecting existing systems
If you’re experiencing an active ransomware attack, there are further steps you need to take to contain the attack.
- If you have online backups, consider disconnecting them from the network until you are sure the infection is contained.
- Suspend privileged and local accounts that you suspect are part of the attack.
- Stop any remote login sessions.
- Reset any compromised user accounts, including any shared local accounts and request the user to login again and activate any two-factor or multi-factor authentication. If you don’t do this, the attacker may still have persistent access to the token behind the user credentials and a password reset will be useless.
Phase 4
PHASE 4 – Notify staff and stakeholders
If your organization’s email has been compromised (referred to as a a Man-In-The-Middle attack), notifying employees via an all hands meeting or via cell phone or text message is advised to avoid tipping off the attackers.
- Notify staff to prevent users from logging into any impacted systems.
- Notify the executive team and implement your existing incident response plan. If you don’t have one, immediately engage our Emergency Response Team via phone at 866-952-9372 extension 9
Phase 5
PHASE 5 – Request specialized help
- Engage a professional cybersecurity incident response firm with an in-house Emergency Response Team like 13 Layers. Local IT companies do not have this capability.
- Contact your local FBI or US Secret Service field office. Only do this if you don’t have access to a firm like 13 Layers that has direct internal connections with the FBI, NSA and CISA.
- Find a local FBI field office: https://www.fbi.gov/contact-us/field-offices
- Find a local US Secret Service field office: https://www.secretservice.gov/contact/field-offices
Phase 6
PHASE 6 – 13 Layers to the rescue!
- The moment we pick up your phone call, we go to work for you. We recommend calling us at the beginning of Phase 1 above or at any other point as every minute counts.
- We will immediately build out a custom threatINTELLIGENCE appliance and ship it to your location within 48 hours of our phone call. Once threatINTELLIGENCE is in place, that entire segment of the network will be isolated and protected.
- We will then continue to lead you through the above process regardless of what point you are at to:
- Isolate and contain the infection
- Identify the source
- NOT pay the ransom
- Recover as much data as possible.
- Prevent this from ever happening again
ARE YOU EXPERIENCING A CYBERSECURITY EMERGENCY? CALL US TODAY!
866-952-9372 extension 9
Managed Cybersecurity Testimonials
13 Layers Cybersecurity Newsletter
What’s new and what’s hot. The latest threat intelligence from around the industry.