When you see clear signs that ransomware is spreading inside your network (multiple machines encrypting files, ransom notes appearing, abnormal process chains involving wmic/psexec/powerShell/rundll32), the decision of “pull the cable now” versus “trust EDR to contain it” becomes one of the most time-sensitive calls you will ever make.
Here is the practical, battle-tested decision framework used by incident responders in 2025–2026
Immediate Red Flags That Usually Justify Pulling the Cable (Physical or Logical Isolation)
1. Multiple simultaneous encryption events More than 2–3 machines showing .lockbit / .encrypted / ransom notes at the same time → spread is already active. Pull the cable (or VLAN segmentation) on affected subnets immediately.
2. Discovery of living-off-the-land lateral movement Logs or EDR showing psexec / wmic / schtasks / PowerShell remoting / WMI event filters being created on multiple hosts → attacker is inside the domain. EDR containment is too slow , isolate affected segments.
3. Credential dumping has confirmed Mimikatz, procdump, lsass.dmp files, or Event ID 4688/4104 indicating credential access → attacker may have domain admin or higher-level hash. Cable pull will give time to rotate credentials.
4. EDR agent tampering or missing heartbeats CrowdStrike/SentinelOne/Defender agents disabled, uninstalled, or not reporting on several machines → attacker is evading your primary containment layer. Physical/logical isolation is the only safe move.
5. Critical environment (healthcare, OT, finance, manufacturing) If lives, patient safety, physical safety, or regulatory fines are on the line → isolate first, ask questions later.
When You Can (Usually) Rely on EDR Containment Instead
1. Single patient zero, no lateral movement yet One workstation shows encryption, but EDR telemetry shows no psexec/wmic/rdp/smb activity to other hosts. → Quarantine the endpoint via EDR, snapshot memory/disk, contain network access → monitor closely.
2. Strong EDR + rapid response team on-site You have mature EDR (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint) with automatic isolation rules, memory forensics enabled, and responders who can act in <15 minutes. → Let EDR auto-contain → investigate root cause → only pull cable if lateral movement appears.
3. Very low business impact of short-term isolation Affected VLAN/subnet has no critical production systems → isolating it causes minimal disruption → do it early to be safe.
Practical Decision Tree (Used in Many IR Playbooks)
Is ransomware encrypting files on >2 machines right now?
├── Yes → PULL THE CABLE / VLAN ISOLATION NOW
│ └── Then: snapshot memory on affected hosts, notify leadership, start forensic imaging
└── No
Is there confirmed credential dumping (Mimikatz, procdump, lsass access)?
├── Yes → PULL THE CABLE / VLAN ISOLATION NOW
└── No
Are EDR agents missing/disabled on any affected hosts?
├── Yes → PULL THE CABLE / VLAN ISOLATION NOW
└── No
Can EDR auto-contain + IR team respond in <15 min?
├── Yes → Rely on EDR containment → monitor aggressively
└── No → PULL THE CABLE / VLAN ISOLATION NOW
Real-World Outcomes from Recent Cases
1. Hospital group (2025) Ransomware started on one workstation → EDR did not auto-isolate fast enough → spread to 14 machines in 45 minutes → patient record access lost mid-shift → should have pulled cable at first encryption event.
2. Manufacturing firm (2026) Single endpoint encrypted → EDR quarantined within 8 minutes → no lateral movement → contained without network isolation → good outcome.
3. Financial services company (2025) Credential dumping detected → team pulled cable on affected VLAN → attacker could not pivot → only one department encrypted → recovered in days.
When in doubt , especially in healthcare, OT, finance, or any environment where downtime is measured in human impact , pull the cable early. EDR is powerful but not instantaneous, and ransomware spreads exponentially once it has domain creds or admin hashes.
You can always bring the network back up after containment and forensics. You cannot bring back encrypted patient records or production lines that were lost while waiting for containment.
Rule of thumb used by many IR teams in 2026: If you see encryption on >1 machine or credential dumping or EDR tampering → isolate first, ask questions later.
