The first 60 seconds matter — isolate before you do anything else

Why isolation is the single most critical first step

Ransomware doesn't encrypt one machine and stop. Modern ransomware — LockBit, BlackCat, Cl0p, and dozens of variants — is designed to move laterally across your network as quickly as possible, encrypting as many systems as it can before being detected. Every connected machine is a potential target. Every shared drive is at risk. Every network-accessible backup is in danger.

The moment you suspect ransomware, your only job is to slow the spread. That means cutting the connection between infected machines and everything else — before you try to assess damage, before you call anyone, before you do anything else.

What to disconnect — and how

Affected workstations and servers

Physically unplug the ethernet cable from every machine you suspect is infected. Do not rely on disabling the network adapter through Windows — if the machine is compromised, the attacker may have tools that can re-enable it. Physical disconnection is the only certain method.

Also disable Wi-Fi on affected machines. On Windows, this means turning off the Wi-Fi adapter physically if possible, or using airplane mode as a second-best option.

Do not shut down infected machines

This is counterintuitive but critical: do not shut down or restart infected machines. Ransomware often operates in memory before writing to disk. The encryption keys, attacker communications, and forensic artifacts that investigators need may only exist in volatile memory (RAM). A shutdown destroys that evidence permanently. Leave machines running but isolated.

Isolate network segments

If you have network segmentation, isolate the affected segments at the switch level. Contact your MSP or network administrator to disable the affected VLANs or switch ports immediately. If you don't have segmentation, your priority is to identify and physically disconnect every machine that shows signs of infection.

Disconnect backup systems

If your backup storage — NAS, external drives, backup appliances — is network-connected, disconnect it immediately. Ransomware specifically targets backup systems to prevent recovery. If your backup is cloud-based, pause synchronization and contact your backup provider.

Signs a machine may be infected

• Files with unfamiliar extensions (e.g., .locked, .encrypted, .WNCRY)
• Ransom note files appearing on the desktop or in folders
• Unusual CPU or disk activity with no apparent cause
• Applications failing to open or files that can't be read
• Pop-up windows demanding payment or displaying attacker communications
• Unusually slow system performance across multiple machines simultaneously

What to do after isolation

Once affected machines are isolated, do not attempt to remediate them yourself. Do not run antivirus scans, do not delete files, do not attempt to decrypt anything. Your next steps are to assess the scope of the attack, preserve evidence, and get professional help involved.

Call your MSP or cybersecurity incident response team immediately. If you don't have one, Moore Technology Consulting has direct experience with ransomware recovery — call us at (646) 791-2137.