The Encryption Event Is the Last Step, Not the First
Ransomware is the visible end of a chain of intrusion activity that begins long before a single file is encrypted. Operators gain initial access—often through phishing, a compromised account, or an exposed service—then spend time on reconnaissance, privilege escalation, credential theft, backup deletion, and lateral movement. Each of those stages produces telemetry. The organizations that survive ransomware without paying are the ones that detect and act on that early telemetry, not the ones that react to the ransom note.
Why Speed Is Everything
The median dwell time before encryption keeps shrinking—many intrusions now go from initial access to detonation in under 24 hours, and some automated strains encrypt a single host in minutes. Manual triage simply cannot keep pace. If a human has to read the alert, open a console, and decide what to do, the attacker has already won. Automated containment is the only response fast enough.
This ties directly into how attackers gain their foothold in the first place. For the identity side of the equation, see our guide on detecting and removing malicious inbox rules, a common precursor to the account compromise that leads to ransomware.
The Early Indicators: What to Watch Before Encryption
These are the pre-encryption behaviors that give you a containment window. Any one of them warrants investigation; several together is a high-confidence ransomware indicator that should trigger automated containment.
Shadow copy & backup deletion: vssadmin delete shadows, wbadmin delete catalog, or bcdedit recovery tampering—a near-certain precursor to encryption.
Security tooling tampering: EDR, antivirus, or logging services stopped, uninstalled, or excluded—attackers blinding defenses before detonation.
Reconnaissance activity: bursts of net, nltest, AdFind, or BloodHound mapping the domain.
Lateral movement: unexpected PsExec, WMI, or PowerShell remoting, and spikes in SMB connections or failed logons across multiple hosts.
Credential access: LSASS memory access, suspicious use of Mimikatz-style tooling, or a sudden burst of Kerberos ticket requests (Kerberoasting).
Suspicious new accounts: newly created admin accounts or accounts added to Domain Admins outside your change process.
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("vssadmin.exe", "wmic.exe", "wbadmin.exe", "bcdedit.exe")
| where ProcessCommandLine has_any ("delete shadows", "delete catalog",
"shadowcopy delete", "recoveryenabled no", "ignoreallfailures")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
| sort by Timestamp descA hit on this query is one of the strongest pre-encryption signals that exists. It should not sit in a queue—it should trigger containment automatically.
The Automated Containment Actions
Once a high-confidence indicator fires, containment must execute in seconds—scoped to the affected host and account so the rest of the business keeps running. These are the actions, in order of priority.
Action 1
Isolate the Host at the EDR Level
Network isolation cuts all traffic to and from the infected host except the security agent's own management channel. This severs command-and-control and stops lateral movement instantly while preserving the machine for forensics—unlike a shutdown, which destroys memory evidence and can trigger encrypt-on-reboot behavior.
# Microsoft Defender for Endpoint - isolate device
POST https://api.securitycenter.microsoft.com/api/machines/{machineId}/isolate
Content-Type: application/json
{
"Comment": "Automated containment: ransomware indicators detected",
"IsolationType": "Full"
}Action 2
Disable the Account and Revoke Sessions
Isolating one host does not help if the attacker holds valid credentials they can use elsewhere. Disable the compromised account and revoke every active session and refresh token so stolen tokens are useless.
# Block sign-in
PATCH https://graph.microsoft.com/v1.0/users/{userId}
{ "accountEnabled": false }
# Revoke all active sessions and refresh tokens
POST https://graph.microsoft.com/v1.0/users/{userId}/revokeSignInSessionsAction 3
Block the Process, Hash, and C2 Infrastructure
Push the malicious file hash to your EDR block list so it cannot execute on any other endpoint, and add the command-and-control IPs and domains to your firewall and DNS block lists. This turns a single detection into org-wide protection against the same payload.
# Microsoft Defender - block file hash tenant-wide
POST https://api.securitycenter.microsoft.com/api/indicators
{
"indicatorValue": "{sha256Hash}",
"indicatorType": "FileSha256",
"action": "BlockAndRemediate",
"title": "Ransomware payload - automated block",
"severity": "High"
}Action 4
Preserve Evidence and Notify the Team
Before the dust settles, automatically collect an investigation package from the isolated host—running processes, network connections, and the relevant event logs—and post a full timeline to your incident channel. This gives responders everything they need to scope the blast radius without racing the clock, because containment has already bought them time.
Tiered Response: Automate Without Breaking the Business
The fear that stops teams from automating containment is over-reaction—isolating a CEO's laptop over a false positive. The answer is tiering by confidence, not avoiding automation.
High confidence → auto-contain
Shadow copy deletion plus mass file modification, or a known ransomware hash executing. Isolate the host and disable the account immediately, then notify.
Lower confidence → collect & alert
A single recon command or one failed-logon spike. Auto-collect evidence and page an analyst with the context pre-assembled, rather than isolating outright.
Scoping actions to the specific host and account—never the whole environment—means containment stays surgical. For more on balancing speed and safety, see our guide to safe Microsoft Graph API response actions.
How BitLyft AIR® Contains Ransomware Automatically
BitLyft AIR® watches for the pre-encryption indicators covered here—shadow copy deletion, security tooling tampering, credential access, and lateral movement—and correlates them across your EDR, identity, and SIEM telemetry in real time. When a high-confidence ransomware pattern emerges, it executes the full containment sequence automatically: isolating the host, disabling the account, revoking sessions, and blocking the payload tenant-wide in seconds.
Every action is scoped, reversible, and fully logged, so you get machine-speed containment without sacrificing the audit trail or risking a self-inflicted outage.
See Automated Containment in ActionFrequently Asked Questions
What are the earliest indicators of a ransomware attack?
The earliest ransomware indicators appear long before file encryption: newly created or unusual admin accounts, disabled or tampered security tooling, mass credential access, reconnaissance commands (net, nltest, AdFind), unexpected use of legitimate tools like PsExec or PowerShell remoting, shadow copy deletion via vssadmin, and spikes in failed logons or lateral SMB connections. Detecting these pre-encryption behaviors is what gives you the window to contain the attack before ransomware detonates.
How fast do you need to contain ransomware?
Very fast. Modern ransomware operators frequently move from initial access to full encryption in hours, and some automated strains encrypt an endpoint in minutes. Because human triage often takes longer than the attacker needs to spread, automated containment—isolating the host, disabling the compromised account, and revoking sessions within seconds of a high-confidence detection—is the only reliable way to stay ahead of the encryption event.
What automated containment actions stop ransomware from spreading?
The core automated containment actions are: isolate the affected host from the network at the EDR level, disable the compromised user and any attacker-created accounts, revoke all active sessions and refresh tokens, block the malicious process hash and command-and-control IPs, and quarantine any shares the account can reach. Executed together within seconds, these actions sever the attacker's ability to move laterally and encrypt additional systems.
Can you isolate a host without shutting it down?
Yes—and you should. Shutting down an infected host destroys volatile memory evidence and can trigger some ransomware to encrypt on reboot. Instead, use EDR network isolation (for example, Microsoft Defender's Isolate Device or CrowdStrike's Network Contain), which cuts all network communication except the security agent's own management channel. This stops lateral movement and C2 while preserving the host for forensic investigation.
Can ransomware containment be fully automated without breaking the business?
Yes, with tiered confidence. High-confidence detections—shadow copy deletion combined with mass file access, or a known ransomware hash executing—should trigger immediate automated isolation and account disablement. Lower-confidence signals can trigger automated evidence collection and analyst notification instead. A well-tuned automation platform scopes actions to the affected host and account, preserves evidence, and leaves the rest of the environment untouched, so containment does not become its own outage.