Immediately block the user’s account

Click the link to check where it leads

Ask the user to reply to the email for verification

Analyze the email headers for sender details and authentication records

Pay the ransom to retrieve the files

Disconnect the infected machine from the network

Run a full antivirus scan while keeping the system online

Ask the user to rename the encrypted files

Review web server logs and check for signs of successful exploitation

Contact the attacker to negotiate

Upgrade the server hardware

Block IP to prevent SQL attacks

It turns off the Windows Defender Firewall for all network profiles (Domain, Private, and Public).

It disables only the Domain profile of Windows Firewall, leaving Private and Public profiles active.

It blocks all incoming and outgoing traffic by setting the firewall to its strictest mode.

It resets the firewall rules to their default settings without disabling the firewall.

Block the attacker's IP, enforce account lockout policies, and enable multi-factor authentication (MFA).

Change the RDP port from 3389 to a random high-number port to evade attackers.

Disable failed login alerts in the SIEM to reduce noise from brute-force attempts.

Add the attacker’s IP to a global "safe list" to monitor their activity.

Immediately block the user’s account and delete all transferred files from the cloud provider.

Contact the employee FLM directly and ask them to explain their activity.

Disable all outbound internet access to prevent further uploads.

Review SIEM and proxy logs to confirm the source, destination, and nature of the data transfer.

Immediately lock the account, force a password reset, and review the account's recent activity.

Notify the account owner to change their password immediately and continue monitoring the account for further activity.

Reset the password for all users in the organization to prevent widespread compromise.