Ransomware, data leak, suspicious activity on your network? Don't Google it — the phone is faster. We'll help you orient yourself, contain the impact, and pick the next steps. No fluff, no upsell, no panic.
CypherOn emergency line
+420 704 129 568Reachable 24/7. Outside business hours, a short callback within 1 hour.
It feels instinctive, but the forensic trail lives on the infected device. Leave it powered on if possible — just disconnect it from the network. Don't start reinstalling.
Disconnect affected devices from the network (LAN and Wi-Fi). Don't delete logs, don't overwrite backups, don't close user accounts. All of it can be evidence — or a path back.
If you're hit by ransomware with a payment demand, do not communicate with the attacker before talking to us. A wrong reply in the first hours usually means a higher price tag or a second attack.
What you saw, when, who spotted it first, which systems are affected. Notes are enough — they save us 30 minutes on the first call.
If you can't or don't want to call, fill out the short form — we'll respond within hours (typically within 30 minutes during business hours). For a truly urgent incident, we still recommend the phone above.
Frequently asked
The questions companies ask most often during a ransomware attack. Answers based on NÚKIB and ENISA guidance and field experience — no marketing, just what actually holds up.
Both NÚKIB and ENISA clearly recommend not paying. There's no guarantee you'll get a working decryptor (success rates hover around 60%). Paying funds the next attacks and marks you as a willing target — 80% of paying companies are hit again within 12 months. Paying sanctioned groups (typically Russian) is also potentially criminal in the EU. Exceptions exist — but always discuss the decision with a lawyer, IR team, and your insurer, not under pressure in the first hours.
If you're a regulated entity under the Czech Cybersecurity Act (ZoKB) or NIS2 — yes, mandatory. Early warning typically within 24 hours of detection, full report within 72 hours. If you're not a regulated entity, reporting isn't mandatory but is recommended — NÚKIB uses it for context on active campaigns. Submission goes through the official portal at nukib.gov.cz.
It depends on the type of backup. If backups are online and reachable from the domain, ransomware often encrypts them along with production data. Only offline / immutable / off-site backups following the 3-2-1 rule (three copies, two media, one offline) are reliable. Plus regularly tested restore — a backup you've never tried to restore typically turns out unusable at the worst possible moment.
The first hours decide. The attacker is typically in the network for 4–60 days before encryption, and the moment ransomware fires, they're often just finishing data exfiltration. Every hour of delay in containment means more encrypted systems and more stolen data. NÚKIB recommends activating the IR plan within 30 minutes of attack confirmation.
Mostly yes — typically the IR team, legal counsel, recovery, business interruption, and sometimes the ransom itself (though that's shrinking in recent years). Key conditions: notify the insurer immediately, don't destroy evidence, don't negotiate with the attacker without consultation. The insurer can refuse payout if you didn't have basic controls (MFA, EDR, backups, awareness training) — which is why pre-incident audits are taken more seriously than they used to be.
Double extortion is now the norm — 70%+ of ransomware campaigns not only encrypt data but also exfiltrate it. Strategy: (1) assume data was exfiltrated until forensics proves otherwise, (2) notify the data protection authority under GDPR within 72 hours if personal data is leaking, (3) prepare a communications plan in case of publication. Paying at this stage doesn't guarantee data won't be published — attackers often keep copies and resell later.
Always, even when you don't expect investigation. Ransomware is a criminal offence (extortion + unauthorised access to a computer system). Without a criminal report you often can't use most insurance payouts, and it complicates writing the loss off for accounting. Contacts: Czech Police — Cybercrime Unit, NCOZ. Ideally through a lawyer experienced with similar cases.
Depends on what was hit and how thoroughly you isolated. If critical business systems (email, ERP, billing) are affected, you switch to manual mode short-term — paper records, mobile hotspot, alternate emails. Full return to the original infrastructure should happen only after forensic analysis — a restore onto an uncleaned network means the attacker is back within days or weeks. Typical full recovery time: 2–6 weeks.
Going deeper
If you don't have an acute incident but want to know what to do preventively or what your incident response plan should look like, we have more detailed material for you.
12 concrete controls that cover 95% of attack vectors. Backups, MFA, segmentation, EDR, patch management — what actually works and the order to roll it out in.
Read the recommendations → 02 / During an attackA structured walk-through of the five incident phases — detection, containment, communication, recovery, lessons learned. Including NÚKIB and GDPR notification duties.
Read the playbook →