When we read that ransomware was “detected and contained,” it sounds almost boring. A threat showed up, the security tool did its job, and everything went back to normal.
But in reality, those few seconds are chaos.
Under the surface, the operating system, the endpoint agent, and the detection engine are all reacting in real time. Decisions are being made instantly. Processes are being killed. Files are being tracked. Networks may be cut off.
If you’re learning about SOC operations or endpoint security, understanding what actually happens during a ransomware event completely changes how you see EDR. It’s not just scanning files in the background. It’s deeply wired into the system, constantly watching how processes behave.
Let’s break down what really happens when ransomware hits a device.
The First Seconds of Execution
Ransomware is not subtle.
It doesn’t quietly modify one or two files. It moves fast. Very fast.
The moment it executes, it starts opening files in rapid succession. It reads their content, encrypts them, and writes the encrypted data back to disk. It may rename files, drop a ransom note, and attempt to delete backup copies , all within seconds.
To the user, everything might look normal at first. Then suddenly documents won’t open. File names look strange. Panic sets in.
To an EDR system, though, this behavior looks extremely abnormal.
And that’s where the real story begins.
How the EDR Knows Something Is Wrong
Modern EDR solutions don’t rely purely on signatures anymore. They focus on behavior.
An agent sits on the endpoint with high-level privileges inside the operating system. It can see process creation, file writes, memory behavior, registry changes, and network connections in real time.
When ransomware starts encrypting files, the EDR notices something unusual almost immediately.
One process suddenly begins modifying hundreds of files in a short time window. That’s not normal behavior for most legitimate applications.
Then there’s the data itself.
Encrypted data looks random. Security tools measure something called entropy ( basically a way to calculate how random data appears). When dozens or hundreds of files suddenly shift from structured document data to high-entropy randomness, that’s a strong encryption signal.
At the same time, the system looks at the process chain.
Maybe a user opened a document.
That document launched Word.
Word spawned PowerShell.
PowerShell executed another binary.
That binary began modifying files everywhere.
That parent-child relationship matters. Context matters. EDR doesn’t just see “files changing.” It sees how the chain of events unfolded.
When enough behavioral indicators line up, the system classifies the activity as ransomware.
And then it reacts.
Containment: Stopping the Damage
The first move is usually simple and aggressive: kill the process.
The EDR issues operating system–level commands to terminate the malicious process immediately. No negotiation. No delay.
In many environments, the system will also isolate the endpoint from the network. The infected device can no longer communicate with other machines. This prevents lateral movement and stops potential spread.
At this point, the attack is contained.
But containment doesn’t automatically mean recovery.
Some files may already be encrypted. So what happens next?
The Part Most People Don’t Realize: Rollback
Here’s what surprises many people.
Advanced EDR platforms aren’t just watching for threats. They’re also tracking changes continuously.
As files are modified, some solutions keep short-term records of their previous state. Others journal file operations or temporarily cache original content before it gets overwritten.
So when ransomware is detected, the EDR already knows:
- Which process made the changes
- Which files were modified
- In what order those changes happened
Because it has that history, it can attempt to reverse the damage.
Think of it like undoing a transaction log. The malicious process made changes. The EDR recorded them. Once the activity is confirmed as ransomware, the system can roll back those changes and restore the original versions.
On Windows systems, recovery may also use Shadow Copies if they still exist. But modern ransomware often tries to delete those early in the attack. That’s why behavioral rollback is such a powerful feature , it doesn’t rely entirely on backups.
Of course, speed is everything.
If detection happens quickly, only a handful of files may need restoration. If the ransomware runs for too long, thousands of files might already be encrypted. At that point, external backups may still be required.
Why Seconds Matter So Much
In a ransomware scenario, one second versus one minute is a massive difference.
Fast detection means minimal encryption and clean rollback.
Delayed detection means large-scale damage, longer recovery time, and possibly business disruption.
This is exactly why behavioral monitoring has become more important than traditional signature-based detection. By the time a signature catches up, the encryption may already be done.
What a SOC Analyst Sees
From a SOC perspective, the chaos gets translated into a clean timeline.
You can see when the suspicious process started.
You can see the spike in file modifications.
You can see the entropy increase.
You can see the exact moment the process was terminated.
You can see whether rollback succeeded.
But behind that tidy dashboard view is constant, low-level monitoring happening every second inside the operating system.
The EDR isn’t reacting blindly. It already understands what normal behavior looks like on that machine. It has context. It has history.
That’s what allows it to move so quickly.
