What should I do if my files are encrypted by ransomware?

Disconnect the infected computer from the internet and any network drives immediately. Do not pay the ransom. Take a photo of the ransom note with your phone. Talk to a forensics expert before any further action.

What should I do if my account has been hacked?

From a different device change the password and enable two-factor authentication. Contact your bank if any financial account is involved. Talk to a forensics expert to determine the scope of the breach.

How fast can I talk to a cyber security expert?

Sherlock Forensics offers a 1-hour callback guarantee for paid emergency consultations. Business hours tier $250 CAD covers 9am-5pm PST Monday to Friday. After-hours tier $500 CAD covers all other times including weekends.

How much does emergency cyber consultation cost?

Business hours emergency consultation is $250 CAD for 30 minutes with a 1-hour callback guarantee. After-hours emergency consultation outside 9am-5pm PST Mon-Fri is $500 CAD for the same 30 minutes.

Should I pay a ransomware demand?

No. Paying does not guarantee file recovery and signals to attackers that you are a paying target. Consult a forensics expert before any payment decision.

Do you meet clients in person?

No. Sherlock Forensics is a remote-only practice. All consultations happen over phone or Google Meet. You do not need to ship a device or visit an office.

Tell us what's going on

Pick the symptom closest to your situation. We will give you three immediate actions you can take right now, then connect you with an expert.

Ransomware: First three actions

Image the affected drive before any recovery attempt with a tool like Sherlock Disk Imager. Recovery without an image destroys evidence.
Disconnect now. Pull the network cable or disable Wi-Fi on the infected computer and any network drives.
Do not pay the ransom and do not delete anything. Paying does not guarantee recovery and signals to attackers that you pay.
Take a photo of the ransom note with your phone. The note contains evidence we will need.

These steps stop the bleeding. To know what was taken, what to recover and how to do it without making it worse, talk to Ryan Purita CISSP. Refundable if we miss the 1-hour callback.

Account takeover: First three actions

From a different device, change the password on the affected account using a known-clean phone or computer.
Enable two-factor authentication on every important account: email, bank, work logins.
Contact your bank if any financial account is involved. Flag the account for fraud monitoring.

You stopped the immediate access. Now scope the breach: what else did the attacker reach, what data was exposed, what should you tell customers or regulators. Talk to a forensics expert.

Locked out: First three actions

Try password recovery using a known-clean device and your backup email or phone.
Check your spam folder for password reset emails you did not request.
Call the service provider directly using a phone number from their official website. Do not use a number from an email.

Lockouts often hide an account takeover that already happened. We can audit your recovery path, identify the attacker access trail and harden the rest of your accounts before they fall too.

Phishing aftermath: First three actions

Change the password you may have entered on the suspicious site immediately, from a different device.
Contact your bank to flag any account where the credential could be used.
Watch all linked accounts for unexpected activity over the next 72 hours.
Search your email for what the attacker may have already accessed using Sherlock PST Viewer.

You acted fast. Now confirm what the phisher got: was malware installed, was a session token stolen, were other accounts hit. Talk to an expert before you assume you are clear.

Malware suspected: First three actions

Image the affected drive before any recovery attempt with Sherlock Disk Imager.
Disconnect the computer from the internet. Pull the cable or disable Wi-Fi.
Do not enter passwords or banking information on the affected machine.
Use a different device to change passwords on accounts accessed from that computer. Review system event logs for the infection vector with Sherlock Universal Events Viewer.

A weird-acting computer is a red flag. Could be benign software trouble or could be active intrusion. A 30-minute scope call tells you which it is and what to do next.

Insider threat: First three actions

Do not confront or tip off the suspected employee. Premature confrontation destroys evidence.
Preserve all evidence including emails, files and access logs. Do not delete anything.
Restrict the suspect account access through your IT or HR team quietly.

Insider cases need court-grade evidence preservation from minute one. Talk to a forensics expert who has testified in employment matters before you take the next step.

Unsure: First three actions

Disconnect the affected device from the internet as a precaution.
Do not enter passwords on any device you suspect is compromised.
Document everything you have noticed, including dates, times and screenshots if possible. If the device must stay on, image it now with Sherlock Disk Imager to preserve state.

Most cyber attacks start with a feeling that something is off. A 30-minute scope call helps you tell signal from noise and decide if this needs a full investigation or a clean-up.

Other: We can still help

If a device is involved, disconnect it from the internet until we have talked.
Preserve everything. Do not delete logs, emails or files. Take screenshots of anything suspicious before it changes.
Bring your timeline to the call. When you first noticed the issue, what you have done since and what you are most worried about.

If your situation does not match any of the standard patterns, that is exactly what an expert call is for. 30 minutes with Ryan Purita CISSP gets you a clear plan whether your problem turns out to be huge or harmless.

Cyber Emergency Response

If you've been hacked, start here.

Triage your situation in 60 seconds. Pay for a 30-minute scope call with Ryan Purita CISSP. 1-hour callback guarantee. Full refund if we miss it. Everything is done remotely over phone and Google Meet.

Ryan Purita CISSP 20+ years cyber forensics Featured on national television 1-hour callback guarantee

30-minute emergency consultation

Pre-pay for a 30-minute scope call with Ryan Purita CISSP. 1-hour callback guarantee. Full refund if we miss it.

Business Hours

$250 CAD

9am-5pm PST, Mon-Fri

30-minute scope call with Ryan Purita CISSP
1-hour callback guarantee, refund if missed
Triage, scope and immediate-action plan
Remote-only by phone or Google Meet

After Hours Emergency

$500 CAD

Evenings, nights, weekends, holidays

30-minute scope call with Ryan Purita CISSP
1-hour callback guarantee, refund if missed
Active incident triage outside business hours
Remote-only by phone or Google Meet

Payment is by Stripe. After paying, you will land on a short intake form so we know how to reach you. Ryan calls back within 1 hour. Full refund if the callback is missed.

Tell us what's going on

Not sure which path matches your situation? Pick again here. Same 60-second triage, same expert callback.

Who you reach

20 years on the front line

Ryan Purita, Principal Security Consultant, CISSP. Court-tested digital forensics work. Featured on national television and in major Canadian publications since 2003.

What we do

Triage, scope, plan

We stop the bleeding, scope what the attacker reached, secure what is still salvageable and walk you through the next 24 hours. Then a written summary by email.

How we work

Remote-only, fast

Everything happens over phone or Google Meet. We never need to meet in person. Have your timeline ready, any screenshots, the ransom note photo if any.