If ransomware hit right now, would you survive the first hour?

Every owner who has ever bought a backup product believes they have backups. Almost no owner who has not done a real restore test in the last 12 months actually does.

The 2026 standard is the 3-2-1-1-0 rule: three copies, two media types, one off-site, one offline or immutable, zero errors on the last verified restore. The checklist breaks backups into 12 specific items because each is a real failure mode our forensics team has watched destroy a recovery in the last 24 months:

• Backups stored on the same identity tier as production — one set of stolen admin credentials wipes both.
• "Immutable" backups set to 7-day immutability when the attacker had been inside the environment for 21.
• Backup admin consoles with single-factor passwords because the team forgot to enforce MFA on the backup tenant after migrating off-prem.
• Restore tests that consisted of restoring a single Word document, not a full database, not a full mailbox, not a domain controller.

The honest read on most SMB backup postures is 4 to 5 items out of 12. The fix is not buying a new backup product. It is auditing the one you already own and closing the specific gaps.

Three copies of every critical dataset. Production counts as one. Two backups are required.

Two different media types. Disk-to-disk-to-cloud counts. Disk-to-disk-to-same-disk-array does not.

One copy stored off-site. Different building, different region, different power grid, different ISP. A flood, fire, building lockout, or regional cloud outage cannot take both copies at once.

One copy immutable or air-gapped. The attacker has admin credentials. The attacker can delete every backup their admin credentials can reach. The immutable or air-gapped copy is the one they cannot reach.

Zero errors on the last verified restore. Untested backups are not backups. They are hopes.

Six well-known moves you must make in the first 60 minutes. Owners who have rehearsed them on a written runbook consistently pay between one-third and one-fifth of the demand owners who have not. The math is brutal and consistent across every IR firm that publishes numbers.

Minutes 0-15. Disconnect, do not power off. Call your IR retainer. Call breach counsel.

Minutes 15-30. Preserve volatile memory. Isolate the identity tier. Cut external access.

Minutes 30-60. Notify the cyber insurance carrier. Convene the response team in a pre-defined out-of-band channel. Decide negotiation posture with counsel.

What goes wrong when owners have not pre-rehearsed: they power off (destroying memory forensics), they call IT before counsel (putting subsequent conversations outside privilege), they "just clean it up" before forensics establishes a baseline (destroying the evidence chain), they talk to the attacker directly via the "live chat" link (anchoring the negotiation at 3-5x the floor).

The PDF includes the printable first-hour playbook. Pin it. Re-read it once a quarter.

Owners often think of an IR retainer the way they think of an insurance policy: nice to have, hope to never use. The framing is wrong. The retainer is the operational instrument that decides how fast your response actually starts. It does three things you cannot do at 9:47 p.m. on a Tuesday when the ransom note appears:

1. Pre-clears legal and contractual obligations. A new forensics firm engaged mid-incident takes 4 to 48 hours to onboard, sign NDAs, complete conflict checks, and clear procurement. A retained firm starts in under 60 minutes.
2. Pre-stages chain of custody. Evidence handling that begins before counsel is engaged is rarely useful in litigation or insurance dispute. A retained firm operates under counsel's privilege from minute one.
3. Lowers your carrier's risk premium. Many carriers offer measurable rate reductions for documented IR retainers with qualified firms.

The phrase "we'll figure out who to call when it happens" is not a plan. It is the most expensive single position an SMB can take, and the position most carriers now penalize at renewal.

Cyber insurance is no longer a checkbox at renewal. Carriers are denying or reducing claims when post-incident forensics reveals a common posture failure. The denials are not arbitrary — they trace back to the policy language and the underwriting questionnaire the insured signed last year.

The top six denials and reductions we've tracked in 2025-2026:

1. No MFA on a privileged account used to deploy the ransomware. Carriers treat this as misrepresentation on the questionnaire.
2. No EDR on a domain controller. The "EDR on every endpoint" line is read to include servers and DCs.
3. Backup admin console without MFA. A growing reduction trigger in 2026 questionnaires.
4. No DMARC enforcement on the sending domain when the incident began with BEC impersonation.
5. Stale privileged accounts belonging to employees who left 90+ days before the incident.
6. No IR retainer when the policy required one as a condition of business interruption coverage.

The checklist surfaces every one of these BEFORE renewal. The cost of a single denied or reduced claim usually exceeds the cost of fixing the underlying gap by a factor of 50 or more.

Attacker side. Modern ransomware crews use AI for reconnaissance, spear-phishing, and exfiltration prioritization. AI-drafted phishing now passes well-trained users at roughly twice the rate of human-drafted phishing. AI-enhanced reconnaissance identifies backup tiers, privileged accounts, and the highest-value data to exfiltrate within minutes of initial access. The window between initial access and detonation has compressed from days to hours.

Defender side. Modern XDR platforms use behavioral AI to detect lateral movement that signature-based tools miss. Identity-side AI flags impossible-travel sign-ins, anomalous service-account behavior, and credential-stuffing in real time. AI-assisted IR triage compresses the first-hour decision tree from 90 minutes to 15.

Petronella's positioning is specific: we design and operate private, in-house AI. For clients who must keep their data inside a defined boundary, we run the AI on infrastructure the client controls, with no data leaving the boundary. The same private-AI capability underpins our behavioral detection in Petronella XDR.

Every ransomware event in NC triggers a layered set of obligations. The checklist references the documents and timelines below; this is orientation, not legal advice.

NC Identity Theft Protection Act (N.C.G.S. 75-65). Notification to affected NC residents "without unreasonable delay" after discovery. The Attorney General's Consumer Protection Division must also be notified.

HIPAA breach notification. Any HIPAA-covered entity has 60 days from discovery to notify affected individuals, HHS, and (for 500+ residents) prominent state media.

CMMC and DoD obligations. Defense Industrial Base contractors have additional reporting under DFARS 252.204-7012 (72-hour reporting to DC3) and CMMC L2 reporting to the CMMC Accreditation Body.

Federal resources. FBI Charlotte field office handles cyber incidents in NC. CISA operates a 24x7 reporting line. NC SBI accepts referrals for cases with state-law nexus.

It is free. Petronella publishes the checklist as a posture-review tool because we've learned, after 24 years of forensics work, that owners who walk through it once are far better prepared whether or not they ever engage us. Some download the PDF, fill it out, and never call — that is fine, the threat landscape is safer when more SMBs are honest with themselves about posture. Many do call, because what the checklist surfaces is uncomfortable and the next conversation is most efficient with a CMMC-RP expert in the room.

Give them the checklist and ask them to walk it through with you on a single 60-minute call. Score each item as Yes, Partial, or No. The number tells the story without anyone defending a position. Most "we are covered" assertions land in the Workable band on first scoring, which is a useful baseline. Catastrophic results are usually a sign that the IT function has been under-resourced for years, not that the IT person is wrong.

Most cyber insurance policies require an IR retainer (or pay reduced benefits without one), and most owners do not learn this until they file the first claim. The carrier's "panel" of pre-approved forensics firms also rarely includes a firm based in your region with relationships to your local FBI field office and state regulators. A retained firm pre-cleared to both your carrier's panel and your jurisdiction is the strongest position.

A live human — not a voicemail tree — picks up on the first ring 24x7. You say "active incident." Within 60 seconds you are connected to a CMMC-RP credentialed lead. Within 15 minutes a forensics engagement is opened under attorney-client privilege if you have not already engaged counsel. Within 60 minutes a containment plan and an insurance-carrier notification plan are in motion.

Antivirus matches signatures of known malware. Modern ransomware operators are not detected by antivirus because they live off the land using legitimate administrative tools (PowerShell, PsExec, RDP, remote-management software). Petronella XDR is an Extended Detection and Response service that monitors behavior across endpoint, server, identity, and email signals 24x7, with SOC analysts and behavioral AI watching for the lateral-movement patterns that precede ransomware detonation. The single highest-impact 2026 investment against the actual threat.

Petronella does not lead with a single backup product because the right answer depends on the business. We design backup architecture around the 3-2-1-1-0 rule and integrate with the backup tools you already own when they meet the standard. Where they do not, we recommend specific options and explain the tradeoffs. Petronella encrypted data and email covers the most sensitive subset (data and mailbox protection with end-to-end encryption for regulated data).

No. Roughly half of Petronella's client base is in regulated industries (healthcare, legal, accounting, financial services, defense supply chain) and the other half is general SMB. The Ransomware Readiness Checklist applies equally to both. The CMMC-RP credential matters because the rigor of CMMC L2 raises the bar on every adjacent engagement, even when CMMC is not directly in scope.

From a defined floor disclosed during scoping. Petronella XDR is priced per IP plus a per-site node fee; the IR retainer is a flat annual; the vCISO program is a tiered monthly retainer. All fixed-fee engagement work is paid 100% upfront at contract execution per our 2026 payment terms. Most SMB ransomware-posture engagements land in a defined range that we walk through on the first scoping call.

Yes. A guided tabletop exercise is the most common first engagement after the checklist. Half-day session with the executive team. Produces a written gap report. Priced From a defined per-session fee, sometimes credited against a subsequent XDR or vCISO engagement.