Why isolation is the first move
Modern ransomware is designed to spread. Once it lands on a single workstation through a phishing click or a compromised credential, it actively scans the network for shared drives, mapped folders, backup repositories, and other reachable machines. Within minutes, what started as one infected endpoint can become every endpoint in your environment.
Isolation is the only way to stop that spread. Every additional second the infected machine stays connected to your network, the attacker has more time to encrypt more data — and more opportunity to reach the systems you depend on for recovery.
Disconnect from the network — but do NOT shut down
This is the single most important distinction in the first minute. Disconnecting and shutting down sound similar but produce very different outcomes.
Disconnect the machine from your network. That means:
- Unplug the Ethernet cable, or
- Disable Wi-Fi on the device, or
- Remove the machine from the VLAN at the switch level if you have managed networking
Do NOT shut down or restart the machine. Ransomware often stores critical forensic information in volatile memory (RAM) — encryption keys, command-and-control communication details, process information, network connections. All of that disappears the moment the machine is powered off. Cybersecurity firms, your cyber insurance carrier, and law enforcement may all need that data to investigate the attack, recover encrypted files, or attribute the attack to a known threat group.
Shutting down also doesn't stop the ransomware — it just freezes the current state. When the machine comes back up, the encryption process resumes from where it left off.
Isolate every machine showing signs of infection
Ransomware rarely affects only one machine. If you see encryption activity, ransom notes, unusual file extensions, or unresponsive systems on one endpoint, assume the same has happened or is about to happen on others. Walk the floor or check your remote monitoring tool, and isolate every machine that shows any of these signs:
- Files appearing with unusual extensions (.locked, .crypt, .encrypted, random strings)
- Ransom notes appearing on the desktop or in folders (often as .txt or .html files)
- Inability to open files that were working an hour ago
- Unusually slow performance from a previously fast machine
- Antivirus or EDR alerts you didn't trigger
- Unexplained user lockouts or password failures
Pull the plug on file servers and shared infrastructure
File servers, NAS devices, and shared storage are high-value targets for ransomware operators because encrypting them affects everyone who uses them. If you suspect any infection has reached your servers, isolate them the same way — disconnect from the network, do not power down.
For environments with on-premises domain controllers, the goal is to preserve at least one clean DC. If your environment has multiple DCs, isolating a healthy one from the network can be the difference between a 48-hour rebuild and a 2-week one.
Disable VPN and remote access
If your environment supports remote workers, you almost certainly have VPN, RDP, or other remote access services exposed. During an active incident, disable these globally. Two reasons:
- Attackers frequently use VPN credentials they've already harvested to maintain persistence — disabling the service forces them out
- Remote users connecting in from home networks can re-infect your environment if their machines were the original compromise vector
This will be disruptive. It is also necessary. Communicate the outage clearly with leadership before doing it.
Protect your backups before the attack reaches them
Modern ransomware actively targets backup systems. Attackers know that if you can recover from clean backups, you don't have to pay. They specifically look for backup repositories, cloud sync targets, and connected storage and either encrypt them or delete them outright.
If your backup system is reachable from the production network, isolate it now. If your backups are stored on a NAS or file share that's still online, disconnect it. If you have cloud backups with admin credentials stored on a compromised machine, change those credentials immediately from a known-clean device. Immutable backups — copies that cannot be encrypted or deleted even by an attacker with admin credentials — are the gold standard, but only protect you if they're actually in place before the attack.
- Disconnect every infected machine from the network — Ethernet unplugged or Wi-Fi disabled
- Do NOT power off any machine — preserve volatile memory for forensics
- Walk the environment and isolate any machine showing signs of infection
- Isolate file servers and shared storage if they may be affected
- Disable VPN, RDP, and other remote access services globally
- Isolate backup repositories and verify they're not yet encrypted
- Notify leadership that an incident is in progress — start the formal response process
What's next: Step 2 — Assess the scope of the attack
Once the immediate spread is contained, the next priority is understanding what was actually hit. You need to know which systems, which data, and which users are affected before you can make informed decisions about recovery, notification, or negotiation. That's covered in Step 2 of this guide.