ACTIVE INCIDENT? CALL (919) 348-4912

Ransomware Attack Help Without Destroying The Evidence

Petronella Technology Group is a court-credentialed incident response and digital forensics firm. We take ransomware calls 24 hours a day, isolate the spread, preserve the evidence your cyber insurance carrier and legal counsel will demand, and rebuild your business on a hardened foundation. The first hour decides whether you pay a six-figure ransom, a six-figure cleanup bill, or both.

24 / 7Live answer
DFE #604180Court credentialed
RPO #1449CMMC registered
Since 2002BBB A+ rated
Open an incident ticket Call Penny now: (919) 348-4912
Live operator answers. Triage starts on the call. No phone trees.
< 15 min
Live triage start
Chain-of-custody
Forensic preservation
Carrier ready
Insurance documentation
23 yrs
North Carolina based
Step 1 - First hour

First-Hour Ransomware Triage: 12 Decisions That Decide Your Bill

The first sixty minutes after a ransomware detonation are worth more than any single tool, contract, or backup tape. Decisions made in that window control the size of the blast radius, the survivability of forensic evidence, and whether your cyber insurance carrier honors or denies the claim. Work the checklist below in order. Skip steps only if instructed by your retained incident response counsel.

  1. Do not power off encrypted machines

    Hibernation, RAM, page files, and process memory often hold the only copy of the encryption key, command-and-control beacons, and unpacked malware. Powering off destroys volatile evidence that a digital forensic examiner needs to identify the strain and, in some cases, recover the key. Disconnect the network cable or shut the Wi-Fi radio off instead.

  2. Isolate at the switch and the firewall, not the desktop

    Pull the VLAN, block the host at the firewall, or break the trunk port. Do not run the built-in antivirus quick scan, do not delete suspicious files, and do not let well-meaning IT staff "clean" the box. Every well-intentioned cleanup destroys evidence and forecloses recovery paths.

  3. Stop the spread - identify the lateral-movement vector

    Most modern ransomware operators dwell for days before detonation. Block SMB, RDP, and WinRM between affected and unaffected segments. Disable the privileged accounts that were on the encrypted host. Force a credential rotation on any service account that touched that machine in the prior 30 days.

  4. Photograph the ransom note - do not delete it

    Take a high-resolution photograph of every ransom note, splash screen, README file, and onion address. The note is forensic evidence: it identifies the strain, the affiliate, and sometimes a known decryptor. Forensic examiners and threat-intelligence partners trade these notes against a private database that civilians cannot access.

  5. Preserve logs before they roll

    Endpoint detection logs, Windows Security Event logs, firewall traffic logs, VPN auth logs, and Microsoft 365 unified audit logs are typically retained for 30 to 90 days. The attacker has been inside that window for weeks. Export and offline-store every relevant log immediately. Without logs there is no claim, no insurance payout, and no root-cause analysis.

  6. Call your cyber insurance carrier hotline

    Most cyber liability policies require notification within hours of discovery and force you to use a panel incident response provider. Calling your own IT firm first, paying out of pocket, or negotiating with the attacker without carrier blessing is the fastest way to void coverage. Get the claim number before you spend a dollar.

  7. Call breach counsel before you send a single email about the incident

    Internal emails about the incident written outside of attorney-client privilege are discoverable. Breach counsel engages the forensic firm through the attorney to extend privilege over the investigation report. This single decision regularly saves clients seven figures in downstream litigation exposure.

  8. Engage Petronella as your forensic and recovery firm

    A court-credentialed digital forensic examiner secures the evidence chain. Craig Petronella holds DFE certification #604180 and Petronella Technology Group is registered as CMMC RPO #1449. The team works inside privilege, coordinates with your carrier panel, and runs both eradication and rebuild in parallel.

  9. Identify the ransomware variant from the note and the file extension

    The strain dictates everything that follows: decryptor availability, OFAC sanctions exposure, whether data was exfiltrated to a leak site, the realistic recovery time, and the negotiation posture. A bad variant ID early on sends the entire response in the wrong direction for 24 hours.

  10. Confirm the scope - servers, endpoints, backups, cloud tenants

    Walk the entire estate. Modern ransomware operators target backup catalogs (Veeam, Datto, Rubrik), cloud storage (SharePoint, OneDrive, S3, Azure Blob), virtualization hosts (ESXi), and domain controllers before they detonate. Assume every system is compromised until cleared by a forensic examiner.

  11. Verify your backups are usable and offline

    Most ransomware victims discover that their backups are encrypted, deleted, or unrecoverable only after they begin restore attempts. Verify backup integrity from an isolated workstation. Verify the backup credentials were not compromised. Verify the backup target is air-gapped from the production network.

  12. Decide on regulatory notification triggers within the first business day

    HIPAA, state breach laws, the SEC four-business-day cyber disclosure rule for public companies, DFARS 7012 for defense contractors, and EU GDPR all impose tight notification clocks. Your breach counsel will drive the formal decision, but the clock starts at discovery, not at confirmation. Document the discovery time, time-stamp the first containment action, and preserve those records inside privilege.

Reality check: nine out of ten of the destroyed-evidence cases we see started with a well-intentioned in-house technician running antivirus before calling for help. Pause. Disconnect. Call. We answer on the first ring at (919) 348-4912.

Step 2 - Engagement

Why You Engage Petronella Before You Touch Anything (Including the Ransom Note)

Ransomware is no longer a malware problem. It is a litigation, insurance, regulatory, and forensic chain-of-custody problem that happens to involve encrypted files. The companies that recover cleanly are the ones that treat the first 24 hours as an evidence-preservation exercise rather than a desktop-cleanup exercise. The companies that pay twice, lose their cyber-insurance coverage, or face regulator penalties are usually the ones who started running scans and rebuilding machines before a forensic examiner ever set foot in the network.

Chain of custody is what makes evidence admissible. A digital forensic examiner records every step of evidence acquisition: bit-for-bit disk images written to write-blocked media, cryptographic hashes captured before and after acquisition, signed acquisition logs, and a documented custody trail showing who handled the media at every transfer point. If your in-house IT staff power-cycle the server, copy files off the disk, or run a cleanup tool before that image is captured, the evidence is contaminated. In a downstream breach-of-contract suit, a class action, or an insurance dispute, contaminated evidence is treated as no evidence.

Petronella Technology Group brings a court-credentialed examiner to every ransomware engagement. Craig Petronella is a state-recognized Digital Forensic Examiner (DFE #604180), MIT-certified in Artificial Intelligence and Blockchain, holds CCNA and CWNE network credentials, and has testified in civil and criminal matters since 2002. The Petronella incident response team is fully CMMC Registered Practitioner certified, and Petronella Technology Group is a CMMC Registered Provider Organization (RPO #1449) recognized by the Cyber AB.

The "just run AV" instinct destroys three things at once:

It destroys the encryption key in memory. Several ransomware families hold their keys in RAM and write them to disk only at certain hand-off points. Aggressive endpoint scanning, system restarts, and process termination during the first hours can wipe out the only copy of a key that might otherwise have been recoverable. We have seen organizations pay six-figure ransoms for files they could have decrypted themselves had the volatile memory been preserved.

It destroys the threat-actor timeline. Endpoint protection tools, when run aggressively, quarantine the implants, the backdoors, and the staging archives the attacker used to move laterally. Without those artifacts, the forensic team cannot build a credible timeline. Without a credible timeline, your breach counsel cannot scope notification obligations, your insurance carrier cannot validate the claim, and your CISO cannot answer the question every customer will ask: what did they take?

It destroys the privileged investigation. Forensic findings developed inside attorney-client privilege are typically protected from discovery in civil litigation. Findings developed by your in-house team before counsel is retained are not. Once a non-privileged email or Slack message describes the malware, the dwell time, or the data accessed, that message is discoverable. Plaintiffs' counsel will subpoena it. Regulators will request it. Insurance carriers will reference it. The single most expensive mistake in ransomware response is treating it as an IT incident rather than a legal incident.

Engaging Petronella from the first phone call collapses these risks. Our standard ransomware engagement protocol is: 1) breach counsel introduction, 2) statement-of-work signed under counsel, 3) carrier panel coordination, 4) on-site or remote evidence acquisition with documented chain of custody, 5) variant identification and exfiltration assessment, 6) eradication and recovery in parallel with forensic timeline development, 7) hardening to prevent re-entry, 8) carrier-ready closeout report. The eradication and recovery work is what gets you operating again. The forensic and reporting work is what keeps you out of court and keeps your coverage intact.

Step 3 - Recovery sequence

The 4-Phase Recovery Sequence: Isolate, Eradicate, Recover, Harden

Petronella runs ransomware recovery as four sequential phases with overlapping forensic and reporting workstreams. The timelines below reflect what is realistic for a small or mid-sized business with a healthy backup posture; large estates, severely compromised backups, or destructive variants will extend each phase.

Phase 1

Isolate

0 - 4 hours

Network containment at the switch, firewall, and identity layer. Credential rotation for every account that touched a compromised host. Backup target isolated and snapshotted. Forensic acquisition of priority systems begins under documented chain of custody.

Phase 2

Eradicate

4 - 48 hours

Variant identification, dwell-time reconstruction, exfiltration assessment, and removal of attacker persistence: scheduled tasks, services, registry run keys, golden tickets, and OAuth grants. Domain controllers rebuilt or restored from known-clean state. Hunt teams sweep adjacent estate.

Phase 3

Recover

1 - 14 days

Tiered restore: identity, file shares, line-of-business applications, email, then endpoints. Each restored system is scanned, validated, and brought back through a clean network segment. Negotiation track runs in parallel only if decryption is unavoidable and OFAC-cleared.

Phase 4

Harden

30 - 90 days

Closing the entry vector and elevating the entire estate above the attacker's next attempt: managed XDR deployment, MFA on every identity, privileged access management, immutable backups, network segmentation, ongoing tabletop exercises, and a CMMC-aligned control baseline.

The phases sound clean on paper. In practice they overlap, run out of order, and are constantly re-prioritized by the forensic findings. The reason Petronella runs eradication and recovery in parallel rather than strictly in series is that most businesses cannot afford a two-week production outage. We rebuild a parallel clean estate inside a quarantined segment while the dirty production estate is held in evidence preservation. As clean systems pass verification, traffic is cut over. This pattern dramatically compresses time-to-revenue without compromising the evidence chain.

The hardening phase is where most ransomware victims fail twice. The first failure is the original breach. The second failure is being re-victimized within months because the entry vector was patched but the underlying control gaps were not closed. Petronella's hardening playbook is built on the same frameworks we audit for CMMC, HIPAA, PCI-DSS, and SOC 2 engagements, so the controls you put in place after a ransomware incident pay you back in regulatory posture as well as in attacker resistance.

Throughout all four phases, the forensic narrative is being assembled into a carrier-ready and counsel-ready report. That report is what your cyber insurance carrier needs to approve the claim, what your breach counsel needs to scope notification obligations, and what your board needs to govern the incident and approve the post-incident control investment. Without it, every conversation about the breach becomes a guess.

Step 4 - The ransom decision

When Paying the Ransom Makes Sense (And When It Is Illegal)

There is no universally correct answer to the ransom-payment question. There is, however, a defensible decision process. Paying the ransom is a last-resort financial transaction with regulatory, ethical, and operational risks that must be evaluated by counsel, the carrier, and the forensic team before a single Bitcoin moves.

Reasons to delay or refuse payment

Hold the line

  • Free decryptor exists. No More Ransom and reputable threat-intel partners maintain a private list of broken families. Petronella checks this list as standard practice.
  • Backups are verified and clean. If a tested restore is achievable inside the business RTO, payment is rarely justifiable.
  • OFAC sanctions exposure. Paying a designated entity (Conti spin-offs, Evil Corp, several Russia and North Korea linked operators) can be a Treasury Department violation regardless of intent. OFAC has acted.
  • Carrier denial. If the cyber liability policy excludes ransom payments or your carrier refuses approval, paying with corporate funds creates downstream coverage and shareholder disputes.
  • Exfiltration was bluff or low-value. Modern double-extortion crews routinely overstate the data taken. The forensic team validates the claim before the payment conversation starts.
Reasons payment may be justifiable

Carrier-blessed exception

  • Backups confirmed unrecoverable and business continuity is at existential risk inside hours, not days.
  • Carrier approves and the panel ransomware negotiator has been engaged from the carrier's own roster.
  • OFAC screening is clear and an independent counsel opinion documents the cleared status.
  • Decryptor reliability has been pre-validated through the negotiator's prior engagements with the same variant and affiliate.
  • Exfiltrated data is high-sensitivity (regulated PHI, defense CUI, trade secrets, personal data subject to GDPR) and the carrier risk model favors payment.

Even when payment is approved, Petronella never makes the payment directly. A licensed and carrier-credentialed ransomware negotiator handles the transaction, manages the OFAC paper trail, and brokers the decryptor delivery. We coordinate the technical side: validating the decryptor on a sacrificial system, scripting the production decryption, and verifying file integrity post-decryption. Paying does not end the incident. The attacker is still credentialed and persistent inside the estate until eradication is complete. Most of the work happens after the payment, not before it.

Step 5 - The insurance file

What Insurance Carriers Need Within 24 Hours

Cyber insurance claim denials are most often the result of preventable documentation gaps in the first day of the incident. Below is the documentation set Petronella delivers to your carrier within 24 hours of engagement, paired with the most common reasons claims are denied.

  • 01
    Notice of loss timestamp with discovery time, first containment action, and counsel engagement time recorded inside privilege.
  • 02
    Policy number, claim number, and carrier-assigned panel approval for Petronella as the retained forensic provider.
  • 03
    Initial scope statement: systems impacted, business operations disrupted, regulated data potentially involved, estimated downtime.
  • 04
    Ransom note copy and variant identification with any negotiation correspondence quarantined for legal review.
  • 05
    Chain-of-custody documentation for every piece of evidence collected, with cryptographic hashes and signed acquisition logs.
  • 06
    Pre-incident security posture summary: MFA coverage, EDR deployment, backup architecture, patch status. This is what determines coverage limits.
  • 07
    Vendor invoices for forensics, recovery, ransomware negotiation, legal, public relations, and notification - all logged against the claim from day one.
  • 08
    Business interruption log: hourly downtime, revenue impact, staff overtime, replacement hardware - the basis for the BI side of the claim.

The most common claim denials we see in 2026: the insured used a forensic vendor outside the carrier panel without prior written approval; MFA was not enabled on the privileged accounts that were ultimately compromised, contradicting the application warranty; backups were not actually offline or immutable as represented at policy binding; the insured paid the ransom directly without carrier sign-off; notification obligations were missed because the discovery time was poorly documented. Every one of these is preventable with a disciplined first-24-hours playbook.

FAQ

Ransomware Response Questions

The questions we are asked most often in the first hour of a ransomware call. If yours is not here, call (919) 348-4912 and ask.

How fast can Petronella start working on a live ransomware incident?
A live operator answers the (919) 348-4912 line 24 hours a day. Triage starts on that first call: variant questions, isolation guidance, evidence-preservation instructions, and an immediate handoff to the on-call incident response lead. Most engagements have an evidence-acquisition plan and a signed statement of work inside the first two hours and remote forensic work underway inside the first four hours.
Will paying the ransom give me my files back?
Sometimes. Reliability varies dramatically by ransomware family and affiliate. Some operators consistently deliver working decryptors; others deliver tools that corrupt files, omit folders, or only partially decrypt the estate. Even with a working decryptor, recovery typically takes longer than restoring from clean backups because of the per-file decryption overhead and the need to verify integrity. Payment also does not remove attacker persistence or guarantee that exfiltrated data will be deleted. We treat payment as one option in a broader recovery plan, not a finish line.
Is paying a ransomware ransom illegal in the United States?
Payment itself is not categorically illegal, but paying a sanctioned person or entity is a violation of OFAC regulations, regardless of intent. The U.S. Treasury Department issued a 2020 advisory and updated guidance in subsequent years emphasizing that companies, financial institutions, and incident response firms can face civil penalties for facilitating prohibited payments. A licensed ransomware negotiator and breach counsel must clear any payment against the current sanctions list before funds move.
Will my cyber insurance pay for the ransom and the recovery?
It depends on your policy language, your application warranties, and how the first 24 hours were handled. Most current cyber policies cover incident response, forensic costs, legal, notification, business interruption, and in many cases extortion payments - but only when carrier-approved panel providers are used and pre-approval is obtained. Using a non-panel vendor or paying without carrier blessing is the single fastest way to convert a covered loss into an uncovered one. Petronella coordinates carrier panel approval as the first business item of every engagement.
My backups are encrypted too. Now what?
This is the most common emergency we are called into. The path forward is variant-dependent. Some ransomware families have public or private decryptors. Some leave shadow copies, snapshots, or replicated copies in cloud storage that the attacker did not touch. Carrier-funded negotiation may be appropriate. Specialized data recovery (drive imaging, raw block extraction) can occasionally recover unencrypted file fragments. Petronella works every avenue in parallel and prioritizes the path that gets revenue-generating systems online fastest while preserving forensic integrity.
Do I have to disclose the ransomware attack publicly?
Disclosure obligations depend on your industry, the data involved, your contracts, and your jurisdiction. HIPAA covered entities must notify affected individuals and HHS for breaches of protected health information. The U.S. Securities and Exchange Commission requires public companies to disclose material cybersecurity incidents on Form 8-K within four business days. State breach notification laws cover personal information across all 50 states. DFARS clause 252.204-7012 requires defense contractors to report incidents to the Department of Defense within 72 hours. Breach counsel drives the formal notification analysis, and Petronella provides the forensic timeline and impact assessment counsel needs to make those calls.
Continue reading

Related Petronella services

The ransomware engagement usually does not end at recovery. Most clients move into a hardened security posture as part of the same retainer.

Incident Response Services Digital Forensics Digital Forensics Stack Managed XDR Suite Cyber Security CMMC Compliance HIPAA Compliance Backup & Recovery

Active ransomware incident? Call now.

Petronella Technology Group answers ransomware calls 24 hours a day. A live operator picks up the first ring, triage starts immediately, and a court-credentialed digital forensic examiner is on the engagement before sunrise.

Open an incident ticket Call Penny: (919) 348-4912
DFE #604180 RPO #1449 CMMC-RP team BBB A+ since 2002 Raleigh, NC