Ransomware Checklist: Your First Hour Decides the Bill

Posted: May 21, 2026 to Cybersecurity.

Picture it: 9:47 p.m. on a Tuesday in Raleigh

You are at home. Your phone buzzes. It is your office manager. Every workstation in the building has the same red message on the screen. The file shares are gone. The accounting system is gone. The line-of-business platform that runs your billing is gone. A countdown timer is ticking.

What you do in the next 60 minutes decides almost everything about how this ends. The size of the demand. Whether your insurance carrier pays. Whether your data shows up on a leak site in 14 days. Whether you are operating from a notebook and a hotspot on Wednesday morning or whether you are open at all.

This is the conversation owners of North Carolina small and mid-sized businesses are quietly having with themselves more and more often this year. The threat is closer to home, the demand sizes are bigger, and the cyber insurance carriers are denying claims on basic posture failures that almost every SMB has somewhere in the stack. The Ransomware Readiness Checklist Petronella publishes is built for exactly this owner: the one who has watched a peer get hit and wants the honest answer.

This blog is the first-hour part of that checklist. Read it. Print it. Put it in the desk drawer with the corporate credit card and the box of letterhead.

The first 15 minutes: contain, do not panic

The single most important rule, and the one almost every owner gets wrong on instinct, is this: disconnect, do not power off. Pulling the network cable isolates the affected machine. Powering it off destroys the volatile memory that a forensics team needs to identify the attacker, the encryption variant, and whether your data was exfiltrated before encryption. Memory forensics is how you find out whether you are dealing with a simple denial-of-access event or a double-extortion event where stolen data is on its way to a leak site. Those are very different conversations with very different price tags.

While IT is disconnecting, you make two phone calls in this order:

1. Your Incident Response (IR) retainer. If you have one, you call it now. If you do not, you call Petronella at (919) 348-4912 and say the words "active incident." A live human routes you to a CMMC-RP credentialed lead in under a minute, 24x7.
2. Breach counsel. An attorney who specializes in cyber incidents. Counsel directs forensics under attorney-client privilege from that moment forward. Every conversation, every document, every finding is now protected. This single step decides what is and is not discoverable later in litigation or in an insurance dispute.

Notice what is not on the list yet. You did not call the FBI. You did not call your customers. You did not call the press. You did not log into the ransom note's "live chat" to see what the attacker says. You contained, then you called the two people whose first move directly improves your outcome.

Minutes 15 to 30: preserve evidence, cut access

With forensics engaged and counsel on the line, the technical work begins. Your IR firm will walk your team through preserving volatile memory on a representative set of endpoints and servers. They will guide you to isolate the identity tier: disable suspect privileged accounts, rotate every break-glass credential, force a global sign-out on the identity provider.

Then external access gets cut. VPN. RDP gateway. Reverse proxies. Third-party connectors. Anything an attacker with working credentials could use to come back through the door. The assumption you operate under for the next 72 hours is that the attacker has working credentials for at least one privileged account. Until forensics proves otherwise, treat every authenticated session as suspect.

Minutes 30 to 60: the carrier, the team, the negotiation posture

Three moves close out the first hour.

Notify your cyber insurance carrier. The carrier may direct you to its own panel forensics firm, which is often different from the firm you have on retainer. This needs to be reconciled inside the first hour, not in week two. The phone number to call your carrier on a Tuesday evening is the one you want printed and in the desk drawer along with this checklist.

Convene the response team in an out-of-band channel. Assume corporate phones and email are compromised. The team meets on a pre-defined Signal group, conference bridge on personal mobile, or in person at a designated location. The pre-defined part matters. Setting it up at 10:30 p.m. the night of an incident is a guaranteed way to waste 90 minutes.

Decide negotiation posture with counsel. There are three real options: silent observation (no contact with the attacker, no acknowledgment), active negotiation (a qualified negotiator engages on your behalf under counsel's direction), or no contact (no engagement, recover from backups, accept the leak-site risk if exfiltration occurred). The owner does not negotiate. The owner directs counsel, counsel directs the negotiator.

The three mistakes that turn a bad night into a closed business

Twenty-four years of forensics work in North Carolina, and the same three mistakes are still doing the most damage:

Paying without negotiation. The ransom note's first demand is the anchor, not the floor. Owners who pay the first demand without a qualified negotiator typically pay between three and five times the price an experienced negotiator settles at. Some incidents are not negotiable - the attacker has reputational reasons to hold the line - but the only way to find out is through a qualified intermediary, not through the owner logging into the live chat at midnight.

Restoring before forensics has a baseline. The instinct is to "just clean it up" so the business can be operational by morning. Every time it is done before forensics has established a baseline, three things follow: the evidence chain needed for the insurance claim is broken, the criminal referral becomes much harder to build, and - most painfully - the attacker's persistence mechanism is often restored along with the data, leading to a second incident inside 30 days.

Calling lawyers too late. Every conversation that happens before breach counsel is engaged is potentially discoverable. The IT team's Slack messages. The text thread between the owner and the office manager. The call to the brother-in-law who "knows about computers." None of those are protected. Calling counsel first protects everything that follows.

What most NC SMBs actually do (and why it costs them 3 to 5x)

The composite picture, drawn from the incidents Petronella has worked, the incidents Petronella's Registered Practitioner Organization peers have worked, and the incidents that show up in published industry data: the typical North Carolina SMB without a pre-rehearsed playbook spends the first hour doing the wrong things in the wrong order.

They power off systems. They call IT first and counsel last, sometimes days late. They restore from the most recent backup before forensics has touched the environment, often restoring the attacker's persistence along with the data. They open the live chat. They name a number first in the negotiation. By the time they are on the phone with a CMMC-RP credentialed lead, eight or twelve hours have passed and the price of everything that follows is locked in at a much higher level.

Owners who have walked through the Ransomware Readiness Checklist once, scored their posture, and rehearsed the first-hour playbook with their team consistently land in the opposite outcome. Same threat. Different price.

The 30-day move

You do not need to overhaul your security program this quarter. You need to do four specific things in the next 30 days:

1. Walk the Ransomware Readiness Checklist through a 90-minute working session with your IT lead and your finance partner. Score it honestly.
2. Sign an Incident Response retainer with a qualified forensics firm. Most cyber insurance carriers require one and many offer measurable rate reductions for documented retainers.
3. Schedule a full backup restore test. Not a single file - a full database, a full mailbox, a full domain controller. If it fails, you have just discovered the most important thing you needed to know.
4. Print the first-hour playbook. Put it in the desk drawer. Re-read it once a quarter.

If you are in a regulated industry, hold CUI under a CMMC pipeline, or are inside 12 months of a cyber insurance renewal, Petronella's active-matter posture for ransomware is the three-part program of Petronella XDR (24x7 monitored detection and response), the IR retainer, and the vCISO program (board-level posture reporting, insurance renewal preparation, quarterly tabletops). Pricing starts From a defined floor disclosed during scoping. All fixed-fee work is paid 100% upfront at contract execution per our 2026 payment terms.

The full Ransomware Readiness Checklist - 58 scored items across five categories, the first-hour playbook, the scoring sheet, and the 30-day action plan - is available as a PDF.

Download the Ransomware Readiness Checklist

Or, if you are reading this because something already feels off in your environment and you want to talk to a CMMC-RP credentialed expert today, call (919) 348-4912 and ask for Penny. She is our AI scheduler, and she will book your free 15-minute call. If you are in an active incident, call the same number and say "active incident" - a live human routes you in under a minute, 24x7.

The first hour decides the bill. Do not spend it wondering who to call.

About the author

Craig Petronella is the founder of Petronella Technology Group, Inc., a Raleigh NC cybersecurity firm serving North Carolina businesses since 2002. He is CMMC-RP credentialed and leads a 4-person CMMC-RP team operating as Registered Practitioner Organization #1449.