Analyze the email headers for sender details and authentication records

Immediately block the user’s account

Click the link to check where it leads

Ask the user to reply to the email for verification

Pay the ransom to retrieve the files

Re-image the device

Ask the user to rename the encrypted files

Disconnect the infected machine from the network

Upgrade the server hardware

Upgrade rule on WAF

Review web server logs and check for signs of successful exploitation

Block IP to prevent SQL attacks

It blocks all incoming and outgoing traffic by setting the firewall to its strictest mode.

It turns off the Windows Defender Firewall for all network profiles (Domain, Private, and Public).

It disables only the Domain profile of Windows Firewall, leaving Private and Public profiles active.

It resets the firewall rules to their default settings without disabling the firewall.

Disable failed login alerts in the SIEM to reduce noise from brute-force attempts.

Add the attacker’s IP to a global "safe list" to monitor their activity.

Block the attacker's IP, enforce account lockout policies, and enable multi-factor authentication (MFA).

Change the RDP port from 3389 to a random high-number port to evade attackers

Review SIEM and proxy logs to confirm the source, destination, and nature of the data transfer.

Contact the employee FLM directly and ask them to explain their activity.

Disable all outbound internet access to prevent further uploads.

Immediately block the user’s account

Reset the password for all users in the organization to prevent widespread compromise.

Immediately lock the account, force a password reset, and review the account's recent activity.

Notify the account owner to change their password immediately and continue monitoring the account for further activity.