Here are the recommended actions to take if you suspect your organization is a victim of a cyber attack:

1. Evaluate your organization’s incident response plan to guide immediate actions upon detecting harmful activities on your network.

2. Identify and isolate impacted systems promptly.

3. If multiple systems or subnets are affected, consider taking the network offline at the switch level.

4. If taking the network offline isn’t immediately feasible, physically disconnect affected devices from the network or wireless connections.

5. Ensure isolation of systems in a coordinated manner to prevent alerting attackers. Use out-of-band communication channels for coordination.

6. Offline backups to preserve them and scan for malware. Restore backups to offline systems required for restoring operations.

7. Initiate an immediate password reset for affected user accounts, including senior management accounts, with strong passwords.

8. Conduct a thorough investigation to uncover the root causes of the attack. Speak with affected users, especially those with privileged accounts, and document initial findings.

9. Review firewall settings for outbound and inbound traffic. Implement blocking rules for countries sanctioned by OFAC.

10. Check and block suspicious external email forwarding rules and rules adding BCC addresses to outgoing emails.

11. Identify and reset passwords for service accounts, particularly those with privileged access.

12. Ensure logs from databases and critical applications are enabled and adequately stored for investigation purposes.

13. Capture system images and memory samples from affected devices. Collect relevant logs and samples of any suspected malware binaries and indicators of compromise for analysis.