Ransomware in progress: Isolate infected machines now

Cause #1: The infected machine is still talking to the network

When ransomware hits, the first thing it does is scan for other computers. It uses SMB (port 445) and RDP (port 3389) to spread. If you leave the network cable plugged in, you're giving the malware a highway to every other machine in the building.

The fix: physically disconnect the infected computer from the network.

Here's exactly what to do:

1. Pull the ethernet cable from the back of the PC. Don't just disable the network adapter in Windows—some ransomware can re-enable it. The physical disconnect is the only thing that's guaranteed to work.
2. If it's a laptop with Wi-Fi, turn off the Wi-Fi switch. On most laptops there's a physical switch or a function key (Fn+F2, Fn+F12—check the keyboard icons). If you can't find it, hold the power button for 10 seconds to force shutdown. Yes, you'll lose unsaved work. Yes, that's better than losing the whole company's files.
3. After disconnecting, check the network status. On a desktop with Windows 10 or 11, look at the taskbar icon. If you see a red X or a globe with no internet, you're good. If it still says "Ethernet connected," pull the cable again—you might have pulled the wrong one.

I've seen a tech pull the phone cable instead of the ethernet. The ransomware encrypted the file server while he was on hold with the ISP. Don't be that guy. Label your cables before you need them.

Cause #2: SMB is open — the ransomware's favorite door

Even after you unplug the infected machine, the ransomware on other machines might still be spreading. SMB (Server Message Block) is the protocol Windows uses to share files and printers. Ransomware like Ryuk, LockBit, and BlackCat use SMB to jump from PC to PC without any credentials—they just reuse the stolen login from the first infected machine.

The fix: disable SMB on all uninfected machines immediately.

Do this from a clean admin workstation (one that you're 100% sure isn't infected):

1. Open Windows PowerShell as Administrator. Right-click the Start button and pick "Windows PowerShell (Admin)."
2. Run this command to check if SMB is enabled on the current machine:
   

   Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol

   If it shows True for either one, SMB is enabled and needs to be turned off.
3. Disable SMB2 and SMB3 (the versions modern ransomware uses):
   

   Set-SmbServerConfiguration -EnableSMB2Protocol $false -Force

   Then disable SMB1 (which is already off on most modern systems, but double-check):
   

   Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force

4. After you run those commands, you'll see no confirmation message—that's normal. Check your work by running the Get-SmbServerConfiguration command again. Both should show False.
5. Reboot the machine. The change won't fully take effect until the system restarts. Yes, you have to reboot. No, you can't skip it—I've seen ransomware still spread because a tech didn't reboot.

Important side effect: Disabling SMB breaks file sharing and printer sharing. Users won't be able to access network drives from that machine. That's exactly what you want during an outbreak—stop all file traffic so the ransomware can't ride it. After you've cleaned the infection, you can re-enable SMB with Set-SmbServerConfiguration -EnableSMB2Protocol $true -Force and reboot again.

Cause #3: RDP is open and exposed

If your network has Remote Desktop Protocol (RDP) enabled on any machine, ransomware groups scan the entire internet for open RDP ports. Once they find one, they brute-force the password or buy stolen credentials on the dark web. When they get in, they don't just encrypt that one machine—they use RDP to jump to others inside your network.

The fix: disable RDP on every machine that doesn't absolutely need it.

From a clean machine, disable RDP on all workstations and non-critical servers:

1. Open System Properties. Press Windows key + R, type sysdm.cpl, and hit Enter.
2. Go to the Remote tab.
3. Under "Remote Desktop," select "Don't allow remote connections to this computer".
4. Click Apply, then OK. After clicking Apply you'll see the radio button stay on the "Don't allow" option—that's your confirmation.
5. If you need RDP for IT support (and you probably do), set up a VPN first. Only allow RDP connections from inside the VPN. This keeps the ransomware from finding an open RDP port from outside.

For servers that must have RDP enabled (like a terminal server), restrict access to specific IP addresses:

1. Open Windows Defender Firewall with Advanced Security.
2. Click Inbound Rules, then find the rule named "Remote Desktop (TCP-In)".
3. Right-click it, choose Properties, go to the Scope tab.
4. Under "Remote IP address," select "These IP addresses", then click Add. Enter the IP addresses of your admin workstations only.
5. Click OK, then Apply.

Quick-reference summary

These three steps—pull the cable, kill SMB, block RDP—have stopped every ransomware outbreak I've handled in the last five years. Do them in this order. Don't overthink it. The malware doesn't wait for you to finish reading a KB article.