The moment ransomware is confirmed, one decision matters more than any other: how fast and how completely can you cut off the infected systems from everything else.
Every minute of delay between detection and isolation is additional encryption across your environment. Every connected system that remains reachable from an infected endpoint is a potential next target. The decisions your team makes in the first fifteen minutes of a confirmed ransomware event determine whether the incident is contained to a handful of systems or whether it reaches domain controllers, backup infrastructure, and the data your organization cannot afford to lose.
Containment is not a sophisticated security operation. It does not require advanced tools or specialized expertise to execute the basic actions. What it requires is a clear sequence, pre-established authority to act without approval chains, and a team that has practiced the actions enough to execute them under pressure without hesitation.
This article covers the specific containment strategies that limit ransomware spread, how to execute them in the right sequence, what to avoid during containment that makes the situation worse, and what the organization needs in place before an incident to make fast containment possible.
Organizations strengthening ransomware preparedness should also evaluate cybersecurity services, incident response services, and ransomware protection services.
Why Containment Speed Determines Recovery Scope
The relationship between containment speed and recovery scope is direct and quantifiable. The longer ransomware runs before containment, the more systems are encrypted, the more backup infrastructure is potentially reached, and the more the recovery timeline and cost increase.
Modern ransomware operates on two timescales simultaneously. The automated encryption component, once triggered, moves at machine speed across the network paths and credential access it has been given. The human operator component, present in most enterprise ransomware attacks, has typically been in the environment for days to weeks before triggering encryption, using that dwell time to maximize the blast radius of the encryption event by identifying and compromising backup systems, escalating privileges, and mapping the network.
Containment during the automated encryption phase limits how many additional systems are encrypted after detection. Containment that also addresses the human operator component, by terminating active sessions, resetting compromised credentials, and closing attacker access points, prevents reinfection of systems that are isolated and later restored.
Both dimensions of containment matter. Organizations that isolate infected systems but do not address the attacker’s persistent access frequently experience reinfection of restored systems because the attacker remains in the environment through backdoors and persistence mechanisms that survive the isolation of specific endpoints.
The Containment Sequence
Effective containment follows a sequence that prioritizes the actions with the highest impact on limiting spread while preserving the evidence and recovery options needed for the response that follows. The sequence is not optional. Executing containment actions out of order consistently produces worse outcomes than following the sequence even under time pressure.
Step One: Confirm Before Acting at Scale
The first action is confirmation that ransomware is actually present, not a false positive from a security alert or a misidentified legitimate process.
Confirmation does not require forensic certainty about the variant, the scope, or the entry point. It requires enough confidence that the response team is not isolating systems based on a false alarm. The confirmation threshold should be low, not high, because the cost of isolating systems unnecessarily is recovery from an isolation action, while the cost of not isolating confirmed ransomware is additional encryption. When in doubt, isolate.
Confirmation signals include:
- Multiple systems displaying ransom notes
- Encrypted files with altered extensions appearing on file servers
- Security alerts from endpoint detection tools indicating ransomware process activity
- User reports of inaccessible files across multiple departments simultaneously
A single user reporting inaccessible files may be a different problem. Multiple systems showing the same pattern within minutes of each other is ransomware until proven otherwise.
Step Two: Isolate Infected Systems Immediately
Once ransomware is confirmed, infected systems must be isolated from the network immediately. The isolation method depends on the system type and your network architecture, but the objective is the same in every case: remove the infected system’s ability to communicate with anything else on the network.
For endpoints connected by cable, physical disconnection of the network cable is the fastest and most reliable isolation method. It does not depend on software, credentials, or network infrastructure that may already be compromised. Pull the cable.
For wireless endpoints, disabling the wireless adapter through the operating system is faster than physical hardware removal for most devices. If the operating system is unresponsive due to encryption activity, disabling the wireless access point that the device is connected to isolates the device without requiring access to the device itself.
For virtual machines, isolating the VM from the network through the hypervisor management interface removes its network connectivity without affecting the host or other VMs on the host. This action should be performed at the hypervisor level rather than within the VM, because a ransomware-affected VM’s operating system cannot be trusted to execute isolation actions reliably.
For server systems, the isolation decision is more complex because servers typically serve multiple functions that other systems depend on. A domain controller that is isolated disrupts authentication across the environment. A file server that is isolated disrupts access to shared data for every user. These consequences are preferable to allowing the ransomware to continue encrypting from the server, but the response team must be aware of the downstream effects and coordinate service continuity responses in parallel with isolation.
Step Three: Disable Switch Ports for Affected Segments
Physical network cable disconnection isolates individual known-infected endpoints. Switch port disabling extends containment to segments where infection may exist but has not yet been fully identified.
Disabling the switch ports serving a network segment prevents traffic from flowing between that segment and the rest of the network regardless of which specific devices on the segment are infected. This is a more aggressive containment action that accepts the operational disruption of taking down a segment in exchange for preventing spread from devices that may be infected but have not yet been identified.
The decision to disable switch ports for a segment rather than isolating individual devices depends on the pace of spread. If new systems are being encrypted faster than individual devices can be identified and isolated, segment-level isolation through switch port disabling is the appropriate response even though its blast radius for operational disruption is larger.
Switch port configuration requires access to network switch management interfaces with appropriate credentials. Those credentials must be documented and accessible outside the production environment before an incident, because locating them during an active event introduces delays that allow spread to continue.
Organizations improving segmentation and operational visibility should also review network security monitoring.
Step Four: Disable Remote Access Infrastructure
Remote access infrastructure, including VPN, Remote Desktop Gateway, remote monitoring and management tools, and any other system that provides connectivity into the environment from outside, must be disabled during active containment.
Attackers operating ransomware attacks frequently maintain access to the environment through remote access infrastructure. Disabling that infrastructure does not remove an attacker who has already established internal access through other means, but it closes the external pathway and prevents the attacker from establishing new remote sessions during the containment phase.
For organizations where remote access infrastructure is essential to business operations, the disruption of disabling VPN and remote access is significant. That disruption is preferable to leaving the attacker a direct pathway into the environment during containment.
Remote access infrastructure that is disabled for containment must be fully reviewed, reconfigured, and confirmed clean before it is re-enabled. Re-enabling compromised remote access infrastructure during recovery has produced reinfection in multiple documented ransomware incidents.
Step Five: Preserve Forensic Evidence Before Further Action
After initial isolation actions are complete, the response team must shift from containment to evidence preservation before any remediation work begins. This transition is one of the most commonly skipped steps in ransomware response, and skipping it consistently produces worse recovery outcomes.
Forensic evidence preserved during the containment phase includes:
- Memory captures from infected systems that contain the ransomware executable code, encryption keys that may still be resident in memory, attacker tools and scripts, and the authentication tokens of accounts the attacker used
- Network flow data and firewall logs from the period surrounding the incident that document the attacker’s movement through the environment, the systems they accessed, and whether data was transferred out of the environment before encryption
- Endpoint detection logs from the period before the encryption event that may show the attacker’s presence during the dwell period, including credential harvesting activity, lateral movement connections, and staging of ransomware components
- Active Directory logs documenting authentication events, privilege escalation actions, and account modifications that occurred during the dwell period and may reveal the full scope of compromise beyond the systems that were encrypted
- Photographs of ransom notes displayed on screens, screenshots of affected file directories, and documentation of every system confirmed as infected
The instruction to not shut down infected systems during the initial response exists specifically to preserve this evidence. A system that is shut down immediately upon ransomware detection loses its volatile memory content permanently. Isolate the system from the network. Do not shut it down.
Step Six: Assess the Scope of Infection
With initial containment actions complete and evidence preservation underway, the response team must conduct a systematic scope assessment to identify all affected systems before restoration planning begins.
Scope assessment errors, specifically beginning restoration before the full infection scope is understood, consistently extend recovery timelines. Systems that were not identified as infected during initial assessment and were therefore not isolated continue encrypting during restoration of other systems, producing a situation where the organization is simultaneously recovering systems and losing additional systems.
Scope assessment includes:
- Active directory authentication log review to identify systems that authenticated with known-compromised credentials during the dwell period
- Network flow analysis to identify systems that communicated with known-infected systems during the spread window
- Endpoint detection alert correlation across all managed endpoints
- User reports and IT ticket review to identify systems that users have reported as inaccessible or showing unusual behavior
The scope assessment produces a definitive inventory of confirmed-infected, potentially-infected, and confirmed-clean systems that drives all subsequent recovery prioritization.

What Not to Do During Containment
Do Not Shut Down Infected Systems
Shutting down an infected system destroys the volatile memory content that contains forensic evidence including potential encryption keys, attacker tools, and authentication tokens.
Isolate infected systems from the network. Do not shut them down until a forensic memory capture has been completed and the incident response team has advised that shutdown is appropriate.
Do Not Wipe or Reimage Systems Immediately
The instinct to immediately reimage infected systems to restore them to a known-clean state is understandable but counterproductive during the containment phase.
Reimaging destroys forensic evidence, may occur before the full scope of infection is understood, and does not address the attacker’s persistent access to the environment through mechanisms that survive reimaging of individual systems.
Do Not Attempt to Decrypt or Restore Files Immediately
Attempting decryption or restoration before containment is complete and the attacker’s access has been eliminated consistently produces reinfection of restored systems.
Files and systems restored into an environment where the attacker maintains access are immediately available for re-encryption.
Do Not Communicate Using Potentially Compromised Channels
If the ransomware event affects email infrastructure, collaboration platforms, or communication systems, those channels cannot be trusted for incident response coordination.
Establish an out-of-band communication channel for the response team at the beginning of the incident.
Do Not Pay Without Completing Containment
Payment decisions made before containment is complete and the attacker’s access is addressed are made without the information needed to evaluate the decision correctly.
All payment decisions must follow:
- Completion of containment
- Scope assessment
- Backup availability assessment
- Legal review
Pre-Incident Preparation That Makes Fast Containment Possible
Containment speed is determined by preparation. Organizations that execute fast, effective containment in the first minutes of a ransomware event do so because decisions, documentation, and authority were established before the incident required them.
- Pre-authorized containment actions that do not require approval chain completion before execution
- Network architecture documentation that maps switch locations, port assignments, VLAN configurations, and management interface access
- Switch and network device management credentials stored securely outside the production environment
- Remote access infrastructure inventory identifying every VPN concentrator, RDG server, and remote monitoring tool
- Out-of-band communication channels established and tested before an incident
- Practiced containment procedures through tabletop exercises
Organizations strengthening operational resilience should also evaluate managed IT services, co-managed IT services, and business continuity planning.
Meet Our CEO, Matt Rosenthal
With more than 30 years of experience in business and technology leadership, Matt Rosenthal has guided organizations through ransomware containment and recovery across healthcare, finance, legal, manufacturing, and defense.
As President and CEO of Mindcore Technologies, Matt leads a team that specializes in building the incident response capability and network infrastructure that determines how fast and how effectively organizations contain ransomware before it reaches the systems where the most damage occurs.
Matt’s approach to containment preparation emphasizes the decisions that must be made before an incident:
- Pre-authorized actions
- Documented network architecture
- Accessible credentials
- Practiced procedures that execute under pressure
Frequently Asked Questions
How do you isolate a system that is still actively encrypting files?
Network disconnection takes priority over stopping the encryption process. Disconnecting the system from the network prevents spread to additional systems even while local encryption continues on the isolated machine.
Should we isolate systems that are suspected but not confirmed as infected?
Yes. The cost of isolating a system that turns out not to be infected is a brief operational disruption and a reconnection action. The cost of not isolating a system that is infected is additional encryption and further lateral movement.
How do we handle cloud systems and SaaS platforms during containment?
Cloud systems require containment actions appropriate to the cloud environment:
- Revoking access tokens
- Disabling user accounts with confirmed compromise
- Suspending affected cloud VMs
- Reviewing cloud storage for evidence of ransomware activity or exfiltration
What if the person with network switch access is unavailable during the incident?
This is a documented failure mode in organizations where network management access is concentrated in a single individual.
The resolution is pre-incident preparation:
- Multiple individuals with documented switch management access
- Credentials stored securely outside the production environment
- Step-by-step switch isolation procedures
Does containment eliminate the need for full forensic investigation?
No. Containment stops spread. Forensic investigation determines:
- The full scope of compromise
- The attack entry point
- The attacker’s persistence mechanisms
- The data that was potentially exfiltrated
Organizations improving post-incident resilience should also review managed security services and secure workspace architecture.
Build the Containment Capability That Limits Ransomware to What It First Touches
The difference between a ransomware incident that encrypts three endpoints and one that encrypts three hundred is almost always the speed and effectiveness of containment in the first fifteen minutes.
That difference is not determined by the sophistication of the attacker. It is determined by whether the response team had the authority, the documentation, and the practiced procedures to execute isolation before the spread reached the systems that matter most.
Mindcore’s cybersecurity services and managed IT services help organizations across healthcare, finance, legal, manufacturing, and defense build the containment infrastructure and incident response capability that limits ransomware damage from the first minute of detection.
If your organization has not established pre-authorized containment procedures, documented network architecture, and practiced isolation actions, contact Mindcore to build that capability before an incident requires it.
Source content adapted from uploaded file. :contentReference[oaicite:0]{index=0}

