“Isolate everything” sounds decisive until the affected network supports patient care, manufacturing, identity, communications, or the systems needed to recover. Waiting for certainty is equally dangerous: encryption can continue, privileged access can spread, and backup infrastructure can be damaged while the team debates scope.

Operating principle: Make the smallest action that materially reduces attacker capability, measure the result, and expand containment when the evidence requires it.

1. Define the containment objectives

Containment is not one action. The incident commander and technical leads should state which attacker capability each action is intended to remove:

  • Stop active encryption and destructive execution.
  • Interrupt lateral movement and remote administration.
  • Invalidate compromised human and machine identities.
  • Protect identity, virtualization, security-management, and backup control planes.
  • Preserve volatile and centralized evidence.
  • Maintain essential safety and business functions.

Every decision record should identify the affected scope, expected security benefit, operational impact, approver, assumptions, validation signal, and next review time.

2. Work the first four hours deliberately

These windows are prioritization guidance, not universal service-level targets. Active encryption, safety implications, or control-plane compromise can justify immediate escalation.

WINDOWTECHNICAL PRIORITIESDECISION OUTPUT
0–15 minValidate the signal in EDR and target-system logs; open the incident record; assign command; preserve UTC timestamps; identify the first affected host, user, and process tree.Confirmed incident, initial scope, authority to act
15–30 minIsolate confirmed hosts; disable or restrict affected identities; revoke active sessions; block known infrastructure; protect EDR, identity, virtualization, and backup consoles.Initial attacker capability reduced
30–60 minHunt remote execution and privileged authentication; identify encryption paths; restrict SMB, RDP, WinRM, WMI, SSH, VPN, and management channels according to observed behavior.Propagation paths mapped and segmented
1–4 hrAcquire priority evidence; rotate emergency credentials from clean systems; validate backup immutability; establish clean administration; prepare staged recovery and continuous hunting.Stable containment state with recovery options

3. Contain the blast radius, not just the endpoint

The visibly encrypted host is often the least important part of the architecture. Responders must determine whether the attacker can still operate through identity, administration, virtualization, network, or backup control planes.

Ransomware containment reference architecture separating workload, control, and recovery planes with attacker paths and containment choke points
REFERENCE ARCHITECTURE / BLAST RADIUS AND CONTAINMENT CHOKE POINTS

The numbered cuts are ordered by urgency, not organizational ownership: isolate active execution, revoke the authority behind it, protect recovery, segment propagation paths, then establish a clean recovery enclave.

4. Use the tools as control surfaces

CAPABILITYCONTROL SURFACESVALIDATION EVIDENCE
Endpoint containmentEDR isolation, host firewall, NAC, switch-port controlsEDR heartbeat retained; prohibited connections fail; no new malicious child processes
Identity containmentAD/IdP disablement, session revocation, conditional access, privileged-role restrictionAuthentication failures, token revocation, no new ticket or session issuance
Network segmentationFirewall, VLAN, NAC, VPN, DNS, proxy, egress controlsFlow logs and firewall denies match the intended cut
InvestigationSIEM, EDR telemetry, Sysmon, Windows Event Logs, Velociraptor, KAPE, osqueryCorrelated process, identity, network, and persistence timeline
Cloud and control planeCloud audit logs, sign-in telemetry, workload identity, virtualization administrationNo unauthorized control-plane changes or continuing privileged sessions
Backup protectionImmutability controls, vault isolation, administrative audit, credential separationRestore points intact; deletion paths blocked; clean administrators established

Console success messages are not proof of containment. Validate the effect in downstream telemetry and the target system. A host reported as isolated may retain management exceptions; a password reset may leave sessions, Kerberos tickets, OAuth grants, API keys, certificates, and service credentials active.

5. Preserve evidence according to volatility

Collect quickly when time and safety permit

  • Memory and active network connections
  • Process trees, loaded modules, and command execution
  • Logged-on sessions and token or ticket state
  • EDR live-response artifacts and volatile malware configuration
  • Active shares, remote sessions, and encryption handles

Protect centralized evidence

  • Identity provider and directory audit logs
  • SIEM and EDR event stores
  • Cloud and virtualization control-plane events
  • Firewall, DNS, proxy, VPN, and NAC telemetry
  • Backup-console and immutable-storage audit logs

Do not delay an urgent containment action merely to collect perfect evidence. Record what was lost, why the action was necessary, and which alternative evidence sources remain.

6. Measure whether containment worked

Do not declare containment because encryption appears to have stopped. Define an observation window and require multiple independent signals:

  • No newly encrypted or impacted hosts during the observation period.
  • No continuing malicious remote execution or lateral movement.
  • Compromised sessions, credentials, and delegated access are invalidated.
  • Administrative protocols and affected trust paths are restricted.
  • Backup systems are isolated, immutable, and independently administered.
  • EDR and centralized logging remain healthy across the contained scope.
  • Known persistence is removed or rendered unable to execute.
  • Responders have clean identities, workstations, and communication channels.
Reassessment rule: If a new affected host, privileged authentication, destructive event, or backup-control anomaly appears, reopen the containment decision and expand the cut.

7. Use technical recovery gates

Reconnection is a controlled change, not the end of isolation. Require evidence that:

  1. The initial access path and demonstrated propagation paths are addressed.
  2. Persistence is removed and high-risk identities are reset from trusted systems.
  3. Restoration sources and golden images are validated.
  4. Monitoring is active before network access is restored.
  5. Recovery occurs in stages: identity and management, core dependencies, critical applications, then broader user access.
  6. Rollback to isolation remains possible at every stage.
  7. The accountable business owner accepts documented residual risk.

Ransomware containment remains a business decision because every technical cut changes operational risk. A mature playbook makes that tradeoff explicit while giving responders the architecture, telemetry, authority, and verification criteria to act under pressure.