Your Business
Is Under
Attack.
The next 72 hours determine whether you recover cleanly or pay catastrophically. Do not guess. Follow the checklist. Call us now.
Do These First. Right Now.
Incident Response Protocol
8 Things to Do
in the Next Hour.
In the right order. Every minute of delay gives attackers more time to spread, exfiltrate, and encrypt.
Isolate Affected Machines From the Network. Now.
Physically unplug ethernet cables from every machine you suspect is compromised. Disable WiFi on the same machines. This single action stops lateral movement -- the way ransomware jumps from one machine to every machine on your network. If you can reach your IT closet, disable affected switch ports or bring down your core switch to kill all connectivity.
Do not skip this. It is the most critical single action you can take.
Force Log Out Every User and Kill All Remote Access.
Go to your Active Directory or Azure AD console and force-terminate all active sessions. Disable every remote access tool immediately: VPN connections, RDP (port 3389), TeamViewer, AnyDesk, SSH. Attackers frequently maintain multiple persistence points -- if you leave one remote channel open, they will use it to re-enter even after you think you've contained the breach.
Do NOT Turn Off Machines Yet. Document First.
If files are actively being encrypted in real time, then power off to stop further damage. But if you've caught the attack early, leave machines running. Memory contains critical forensic evidence: active processes, network connections, and attacker tooling that disappears the moment you power off. Take photos or screenshots of ransom notes, error screens, and anything unusual before you touch anything. This evidence determines patient zero and the attack vector.
Exception: if encryption is visibly destroying files right now, power off immediately.
Do Not Engage the Threat Actors. At All.
Do not reply to ransom notes. Do not click links in the ransom demand. Do not attempt to negotiate on your own. Every interaction reveals your identity, your decision timeline, whether you have cyber insurance, and how much you might be willing to pay. Professional IR firms handle all necessary threat actor communication using techniques that minimize your exposure. Opening a dialogue without that expertise raises your ransom demand and marks you as a cooperative target.
Do Not Pay the Ransom Without Expert Guidance.
Roughly 40% of businesses that pay still cannot fully recover their data. Beyond that, paying certain threat groups may violate OFAC sanctions, exposing your company to federal penalties on top of the attack costs. Payment also funds further attacks against you and others. Before any payment decision, you need your IR firm, your legal counsel, and your cyber insurance carrier in the same conversation.
Notify Leadership, Legal, and Your Cyber Insurance Carrier.
Your CEO, CFO, and General Counsel need to know immediately. Your cyber insurance carrier must be notified within a defined window (often 24-72 hours) or your coverage may be voided. Many insurers also have preferred IR vendors -- call them before engaging an outside firm if your policy requires it. If you handle personal data (HIPAA, PCI, GDPR), data breach notification obligations may be triggered. Document the exact time of discovery.
Protect Your Backups. Verify They Were Not Compromised.
Modern ransomware groups spend weeks inside your network before detonating. During that time they locate and destroy or encrypt your backups specifically to increase ransom leverage. Immediately disconnect your backup systems from the network and verify their integrity before you need them. If backups were online and accessible to the same accounts that were compromised, assume they are also compromised until verified clean.
Call an Incident Response Firm in the First Four Hours.
The first four hours are your containment window. Businesses that engage a qualified IR team within that window recover in days. Those that wait recover in weeks -- or not at all. Tech Critic provides 24/7 incident response across Dallas and DFW. We handle containment, forensics, stakeholder communication, ransom negotiation if required, and full recovery. One call starts everything.
Call (214) 396-8151 NowAvoid These Mistakes
What NOT to Do
During an Attack.
These instincts feel logical. Most of them make the situation significantly worse.
Do not restart machines
Rebooting does not stop ransomware. It can trigger encryption on startup, destroy forensic evidence in memory, and signal the malware to begin its next phase.
Do not try to decrypt files yourself
Running unauthorized decryption tools can corrupt files permanently, eliminating any possibility of recovery even if the encryption key is later obtained.
Do not post on social media
Attackers monitor their victims' social presence. Public disclosure before you have control of the narrative invites additional pressure tactics, media attention, and customer panic.
Do not reuse compromised credentials
Every account that was active on a compromised system must be treated as compromised. Reset all passwords from a clean, uninfected device -- not from anything that touched the affected network.
Do not wipe machines before forensics
The impulse to wipe and reinstall is understandable but destructive. Without forensic imaging first, you lose your ability to identify patient zero, understand the full scope, and defend against the same attack vector next week.
Do not wait to call for help
Every hour of delay costs real money. The average ransom demand for mid-market businesses in 2025 was $1.9M. Businesses with active IR firms on scene within four hours recover at 60% of the cost of those who wait 24 hours.
The Critical Window
The First 72 Hours
Decide Everything.
Most breaches become disasters not because of the initial attack, but because of what happens in the three days after it.
Hours 0 to 4
Containment.
Stop the Bleed.
Isolate, lock out, document. This is the window where you either contain the attack to 3 machines or let it become 300. Containment success in this window cuts average recovery cost by more than half.
What attackers are doing
Lateral movement, privilege escalation, locating backups
Hours 4 to 24
Scoping.
Know What Hit You.
A qualified IR team maps patient zero, identifies every compromised system, determines if data was exfiltrated, and establishes a clean recovery environment. Decisions made here shape your entire recovery.
What attackers are doing
Data exfiltration, backup destruction, staging full encryption
Hours 24 to 72
Recovery.
Back Online.
Clean, verified systems are restored from known-good backups. Critical business functions come back online first. The full scope of the breach is documented for insurance claims, legal obligations, and regulatory reporting.
With IR firm on scene
Phased restoration, stakeholder updates, ransom negotiation if needed
Hour 72 and Beyond
Resumption.
Hardening.
Full operations restored. Root cause identified and eliminated. Hardening recommendations delivered and implemented to prevent recurrence. Post-incident report for insurance and legal use.
Without an IR firm
Average 23 days downtime. Average $1.85M total cost.
Right Now Matters
Every hour without containment costs an average of $23,000 in additional recovery expenses.
Get a Senior
Analyst on the
Phone Now.
Fill out the form and we will call you back within minutes. For an active, ongoing attack, call the line directly.
24/7 Emergency Line
(214) 396-8151Dallas Office
8001 LBJ Freeway, Suite 405
Dallas, TX 75251
What happens when you call
A senior analyst (not a call center) picks up. Within 5 minutes you will have a triage call underway. Within 30 minutes we will have a containment plan. For Dallas businesses, we can be on-site within 2 to 4 hours.
Message Received
A senior analyst will call you back within minutes.
While you wait: stay off the affected machines, keep your network isolated, and do not engage the threat actors. For anything urgent that cannot wait: (214) 396-8151.
Why Tech Critic
Dallas IR Since 2003.
Senior-Only Response.
When you call Tech Critic at 2am on a Tuesday, you get a senior engineer who has run active ransomware incidents -- not a Level 1 analyst reading from a playbook.
We have operated in Dallas for over two decades. We know the regulatory environment. We know the local legal and insurance landscape. And we keep five owned offices in DFW specifically so we can put boots on the ground when remote access is not enough.
23+
Years in Dallas
Serving DFW businesses since 2003
24/7
Response Hours
Senior analyst, every call, any time
30 min
SLA to Containment
Critical incidents, written SLA
5
Owned DFW Offices
On-site response when you need it
Questions We
Get a Lot.
Don't see yours? Call and ask directly.
Should I shut down my computers when ransomware hits?
It depends on timing. If you catch the attack early and encryption is not yet actively running, leave machines powered on for forensic memory capture -- this helps identify patient zero and the attack vector. If files are actively being encrypted in real time, power off immediately to stop further damage. Call an IR firm before making this decision if at all possible.
Should I pay the ransom?
Do not pay without expert guidance. Paying does not guarantee file recovery. Roughly 40% of businesses that pay still cannot recover all their data. Payment also funds further attacks, and paying certain threat groups may violate OFAC sanctions, exposing your business to federal penalties. Talk to an incident response firm and legal counsel before making any payment decision.
Why are the first 72 hours so critical?
The first 72 hours are when containment either succeeds or fails. In the first four hours, attackers continue lateral movement if not isolated. By hour 24, they may exfiltrate data. By hour 72, they encrypt additional systems and trigger ransom demands. Every hour of delay multiplies recovery cost and time. Businesses that engage an incident response team within the first four hours recover significantly faster and at lower cost.
Can I negotiate with attackers myself?
No. Do not engage directly with threat actors. Every interaction reveals information about your organization, your decision-making timeline, and your insurance coverage. Professional IR firms handle all threat actor communication when required, using techniques that minimize risk and avoid validating you as an easy future target.
How quickly can Tech Critic respond in Dallas?
Tech Critic provides 24/7 incident response for Dallas and DFW businesses. You can reach a senior analyst immediately at (214) 396-8151. We target containment action within 30 minutes of engagement for critical incidents. For on-site response in the Dallas area, we can typically have a senior engineer on location within two to four hours depending on time of day.
Stop the Clock.
Call Now.
Every minute matters. A senior Tech Critic analyst is standing by 24/7 to take your call and start containment.
We're In · Drop By
...yes, it's us. In the flesh. No AI agent.