Your Business Is Under Attack Call Petronella Right Now

If you are seeing any of the signs below, pick up the phone. Calling at three in the morning is a normal thing for us. Waiting until business hours can cost you the entire incident.

Active ransomware. Files on one or more machines have been renamed with an unfamiliar extension. A ransom note, usually a text file, HTML file, or desktop wallpaper change, is demanding payment in Bitcoin or Monero. Shared drives are starting to fail because the attacker is still actively encrypting data.

Business email compromise in motion. A client, vendor, or employee just reported an invoice that looks off, or payroll was rerouted, or a wire transfer went out to an account nobody recognizes. An inbox rule is silently forwarding executive mail to an unknown Gmail address.

Crypto wallet drained. Hardware wallet, exchange account, or custodial wallet just got emptied. Or a pig butchering or romance scam victim just realized the investment platform was fake and the funds are gone.

Unauthorized logins. Microsoft 365 or Google Workspace alerts show logins from Nigeria, Russia, or random VPN endpoints on admin or executive accounts. Multiple failed MFA pushes have been denied in the last hour, followed by a successful login.

Disclosure already happened. A dark web monitoring service, a customer, a journalist, or a federal agent reached out to tell you your data appears to be for sale. Someone posted your client list on a leak site.

Insider exfiltration. A terminated or departing employee has been running large downloads, plugging in unknown USB devices, or moving sensitive folders to personal cloud storage.

Regulated data exposure. Protected health information, controlled unclassified information, cardholder data, or personally identifiable information is visibly exposed on a misconfigured storage bucket, shared link, or public directory.

SCADA, ICS, or OT alarms. Industrial control systems are throwing alarms or acting outside normal setpoints. A manufacturing line or medical device network is behaving erratically.

Active phishing campaign against your customers. Your clients are getting emails that look like you, but are not you. Your domain is being spoofed, or a lookalike domain was just registered.

If the situation is ambiguous, call anyway. A short triage call costs nothing and tells you whether we need to mobilize or whether a simple fix will do the job tomorrow morning.

Powering a ransomware machine off can destroy memory-resident evidence including the encryption key. Unplugging the network cable or disabling Wi-Fi is almost always the better move because it stops data exfiltration and further encryption while keeping the volatile state intact for forensic imaging. If the device is a laptop that has left the building, leave it running on battery and keep it in a safe place until we can collect it or walk your team through remote preservation.

Most cyber insurance policies require notification within a specific window, often twenty four or seventy two hours. Missing that window can void coverage. Pull out your policy, find the claims phone number, and call it even before you are sure what happened. Carriers are used to these calls and will not penalize you for a false alarm, but they will for a late notification.

Hours 0 to 2, intake and scoping. A responder gets on a call or bridge with the decision maker and the on site IT contact. We identify affected systems, confirm which accounts are still trusted, agree on a secure out of band channel (usually Signal or a fresh Teams tenant), and stand up a locked down evidence repository. Your insurance carrier and breach counsel are usually on the bridge by the end of this window.

Hours 2 to 6, containment. We disable compromised accounts, kill active sessions, rotate credentials starting with the domain admin tier, force password resets, enable conditional access rules blocking unknown countries, and pull suspicious inbox forwarding rules. If ransomware is still active, we isolate affected network segments and hypervisors to stop further encryption.

Hours 6 to 12, forensic imaging. We image the affected endpoints, collect Microsoft 365 and Google Workspace unified audit logs, pull EDR telemetry, and preserve firewall, VPN, and RMM logs. Chain of custody documentation starts here in case law enforcement or a civil matter is likely.

Hours 12 to 24, preliminary findings. Initial timeline of compromise, likely initial access vector (phishing, exposed RDP, third party software, MFA fatigue, stolen session token), blast radius, and exfiltration indicators. First written status memo goes to counsel and carrier.

The first day is about stopping the bleeding and preserving evidence. Eradication, recovery, and post incident hardening happen over the following days and weeks depending on incident complexity.

Days 2 and 3, eradication. Now that scope is understood, we remove attacker persistence. That includes scheduled tasks, run keys, WMI subscriptions, malicious service accounts, OAuth app grants in Microsoft 365 and Google Workspace, rogue inbox rules, and any new user accounts the attacker created. Tenant level secrets and API tokens are rotated.

Days 3 to 5, recovery. Clean systems are rebuilt from trusted backups or gold images. Encryption keys are recovered if a known strain is involved and decryptors exist. Mailboxes are restored from point in time backups where possible. Cloud data is restored from immutable snapshots.

Days 5 to 7, hardening and handback. We enable conditional access, MFA on every account, privileged identity management, tamper protection on the EDR, application allowlisting where the environment supports it, and offsite immutable backups. A formal incident report, with timeline, root cause analysis, IOCs, and recommended remediations, is delivered to counsel.

If regulated data was exposed, Petronella Technology Group supports your legal and compliance team with the breach risk assessment that drives HIPAA, state data breach notification, and sector specific (PCI DSS, FTC Safeguards, FAR 52.204-21, DFARS, CMMC) reporting decisions. We do not provide legal advice. We give your attorneys the factual evidence they need to advise you.

MFA fatigue and session token theft. An attacker has a valid password from a credential dump or phishing page, and then hammers the user with push notifications until they tap approve, or they use a modern phishing kit that steals the session cookie after legitimate sign in. Once inside Microsoft 365 they create inbox rules, grant an OAuth app consent, and start collecting invoices. Kill session tokens, rotate passwords, revoke OAuth grants, and enforce phishing resistant MFA on every account that can support it.

Exposed RDP or VPN. Remote Desktop on port 3389 open to the internet with a weak password is still how many small businesses get breached. Attackers use credential stuffing against SSL VPNs. Once they are in, they drop a remote access tool, disable endpoint protection, dump credentials with common tools, and kick off ransomware. Shut down internet exposed RDP, require MFA on every VPN session, and move to conditional access.

Third party software compromise. A managed services provider, a line of business application, an accounting add in, or a browser extension is the initial vector. The attacker uses the third party connection as a supply chain into multiple downstream customers. If your MSP was breached and you are a customer, assume your environment needs containment too.

Phishing to ransomware pipeline. The user opens a OneDrive link, the attacker harvests a session token, an EDR bypass loader is uploaded, attackers move laterally for days or weeks, and encryption happens late at night on a Friday or a long holiday weekend. Shortening the detection window from weeks to hours is the entire point of a modern managed detection and response service.

Social engineering at the help desk. The attacker calls your outsourced help desk pretending to be an executive, socially engineers a password reset or MFA re enrollment, and takes over the account. Train help desk staff on voice verification and out of band callback policies. Document who is allowed to approve what.

An incident response retainer gives you a preapproved hourly rate, a named lead responder, a scoped statement of work, and a set of on call contact paths so nothing needs to be negotiated during the crisis. We build an environment profile in advance so the first hour of an incident is not spent learning your stack. Most of our retainer customers also receive tabletop exercises twice a year, a short simulated phishing program, and a quarterly review of detection coverage against the MITRE ATT&CK framework.

If you are not ready for a full retainer, a one time readiness assessment is another option. Petronella Technology Group reviews your documentation, your backup strategy, your Microsoft 365 or Google Workspace configuration, your endpoint and firewall posture, and your legal and insurance contacts. You walk away with a prioritized gap list and the right phone numbers taped to the inside of your ops wiki. That alone often cuts hours out of real incident response.

Cyber insurance carriers increasingly favor, and in some cases require, a preexisting relationship with an approved incident response firm. Check with your broker. If Petronella Technology Group is not on your panel, a simple conversation between your carrier and our partnerships team can often get that added before your next renewal.

Before you call, here is what Petronella Technology Group does not offer. Being upfront here saves everyone time.

We are not a licensed private investigator firm. Our forensic work focuses on computer, network, email, and blockchain evidence, not physical surveillance, process service, or mobile device imaging on family law or custody matters. We do not operate Cellebrite, Encase, or similar mobile forensic extraction platforms. If your matter requires those tools, we will refer you to a trusted partner.

We are not attorneys. We work closely with breach counsel, cyber insurance panel firms, and your outside lawyers, but we do not give legal advice. Anything that touches regulatory notification, contract language, or law enforcement cooperation runs through your attorney.

We are not licensed mental health professionals. Extortion, stalking, and personal account compromise cases are traumatic. If you need therapy referrals, we will help you find them, but our scope is the technical containment.

Crypto recovery is not guaranteed. Anyone promising guaranteed recovery of stolen cryptocurrency is a secondary scam. We trace, we coordinate with exchanges and law enforcement, and we give you honest probability estimates. Recovery rates depend on blockchain choice, time elapsed, and whether funds landed on a regulated exchange.

FBI IC3, ic3.gov. Online intake for cyber crime reports, including business email compromise, ransomware, crypto theft, and tech support scams. The Recovery Asset Team has a strong track record on wire fraud when the report is filed within seventy two hours.

CISA, cisa.gov/report. Critical infrastructure and significant cyber incident reporting. A place to exchange indicators of compromise.

NC State Bureau of Investigation Computer Crimes Unit. North Carolina specific investigative resource for computer intrusions and online fraud.

HHS Office for Civil Rights, hhs.gov HIPAA breach notification portal. HIPAA breach notification portal. Five hundred plus individual breaches must be reported within sixty days.

DoD DIBNet, dibnet.dod.mil. Defense Industrial Base cyber incident reporting. Seventy two hour window when controlled unclassified information is impacted.

NCMEC CyberTipline, report.cybertip.org. National Center for Missing and Exploited Children. Required reporting route for any incident involving exploitation of minors.

FTC, reportfraud.ftc.gov. Consumer fraud intake. Useful for identity theft and tech support scam cases.