Contain Ransomware Through Physical Path Severance
Ransomware relies on network reachability to spread, encrypt, and extort. When the paths it depends on are physically severed, lateral movement stops. Recovery assets remain beyond reach.
Key threats addressed
Ransomware is a network problem. Without paths between segments it cannot spread, and without a path to backups it cannot destroy the route to recovery. Firevault Control sits at every zone boundary and hardens recovery infrastructure behind physical disconnection, so a single intrusion cannot become an enterprise-wide encryption event.
Threat Response
If ransomware can reach your backups, you do not have backups. If it can traverse between network segments, containment is theoretical. Physical disconnection makes containment absolute.
73%
Of ransomware attacks involve lateral movement across network segments
21 days
Average dwell time before ransomware detonation
Zero
Recovery assets reachable from network-connected infrastructure
Minutes
From detection to complete path severance across all zones
Ransomware exploits the connections organisations depend on.
Lateral Movement
Once inside the perimeter, ransomware traverses network segments through legitimate pathways, escalating privileges and encrypting systems faster than response teams can isolate them.
Backup Destruction
Modern ransomware specifically targets backup infrastructure. Network-connected recovery systems are encrypted alongside production data, eliminating the primary recovery mechanism.
Dwell Time Exploitation
Attackers spend weeks mapping the network before detonation, identifying backup schedules, disabling security tools, and positioning encryption payloads across every reachable system.
Pain points
- Flat networks let a single compromised endpoint encrypt every reachable system.
- Online immutable backups are still online and still reachable by the attacker.
- Detection windows are too short to relocate critical recovery infrastructure by hand.
- Insurers and regulators want continuous evidence of segmentation, not point-in-time snapshots.
The Scenario
Scenario: Ransomware Detonation in a Multi-Site Enterprise
A logistics company detects ransomware encryption beginning on a file server at 02:14 on a Saturday morning. The malware has been resident for 18 days, during which it mapped network shares, identified backup schedules, and deployed encryption payloads to 340 systems across four sites. The attackers disabled volume shadow copies and encrypted the backup server before detonating the primary payload. With Firevault Control, the Firebreak module severs all inter-site connectivity within 90 seconds of the SOC alert. Verified control-plane baselines held by the Archive module are not reachable from the production network, so the ransomware cannot touch them. By 06:00, the company is restoring from known-good copies while the encrypted segments remain physically isolated for forensic analysis.
"We had backups. We had immutable storage. We had network segmentation. The ransomware encrypted all of it because every system was reachable from every other system. Physical disconnection is the only thing that would have stopped it."
Where Control breaks the ransomware chain.
Ransomware operators rely on a predictable sequence: get in, get quiet, get everywhere, then encrypt. Firevault Control removes the network reachability each stage depends on, so the chain cannot complete even when individual hosts are compromised.
Mapped to MITRE ATT&CK Enterprise tactics TA0001 to TA0040, NCSC ransomware guidance and the CISA #StopRansomware playbook.
-
ST 01
Initial Access
TA0001
◤ Attacker
Lands on a user endpoint through phishing, an exposed remote service or a trusted third-party route, then waits for a callback.
◢ Control breaks it
Crown jewel systems sit behind a severed conduit. The initial foothold has no path to the assets that matter.
FirebreakIsolate✕ Break here -
ST 02
Persistence and Privilege Escalation
TA0003 / TA0004
◤ Attacker
Adds scheduled tasks, services and stolen credentials so the foothold survives reboots and is harder to evict.
◢ Control breaks it
Named, time-bound access is enforced for any administrative reach. Trust to the protected zone is revocable, not implicit.
LockUnlinkValidate✕ Break here -
ST 03
Lateral Movement
TA0008
◤ Attacker
Walks the network with stolen credentials, abusing SMB, RDP and management tooling to reach the file servers and hypervisors.
◢ Control breaks it
Inter-zone paths exist only when explicitly opened, and only for the window required. No standing reachability to traverse.
FirebreakIsolateRelay✕ Break here -
ST 04
Backup and Recovery Sabotage
TA0040
◤ Attacker
Deletes shadow copies, encrypts backup catalogues and disables recovery agents so the only way out is to pay.
◢ Control breaks it
Recovery copies are held in an offline vault that is not on the live network. The attacker cannot reach what is not reachable.
ArchiveTransfer✕ Break here -
ST 05
Detonation
TA0040
◤ Attacker
Triggers encryption across every reachable system, then drops the ransom note and starts the leak-site countdown.
◢ Control breaks it
The Firebreak module severs every governed conduit on alert. The blast radius stops at the last open boundary.
FirebreakExecuteValidate
Outcome · outcome block
Even if the attacker completes initial access, the chain stalls at the first severed conduit. Recovery copies remain intact in the offline vault, ready for a clean restore.
Modules & symbols
Featured In
'%3e%3cpath%20fill='%23E40784'%20d='M141.363%2026.6a5.905%205.905%200%200%201-5.899-5.9%205.905%205.905%200%200%201%205.899-5.895%205.901%205.901%200%200%201%205.895%205.895%205.9%205.9%200%200%201-5.895%205.9Zm0-8.347a2.448%202.448%200%200%200%200%204.895%202.449%202.449%200%200%200%202.447-2.448%202.449%202.449%200%200%200-2.447-2.447ZM141.363%200c-.821%200-1.638.052-2.447.144v3.731a16.897%2016.897%200%200%201%202.447-.177c9.373%200%2017.002%207.626%2017.002%2017.002%200%20.825-.063%201.642-.177%202.448h3.732c.095-.81.143-1.627.143-2.448%200-11.411-9.285-20.7-20.7-20.7Z'/%3e%3cpath%20fill='%23E40784'%20d='M141.363%207.268c-.825%200-1.645.077-2.447.228v3.787a9.733%209.733%200%200%201%202.447-.313c5.369%200%209.734%204.368%209.734%209.734%200%20.832-.107%201.652-.313%202.447h3.783c.151-.802.228-1.623.228-2.447.004-7.412-6.024-13.436-13.432-13.436Z'/%3e%3cpath%20fill='%23fff'%20d='M71.382%207.537h-2.84a5.82%205.82%200%200%200-5.815%205.818v9.785h4.037v-9.789a1.78%201.78%200%200%201%201.777-1.777h2.841V7.537ZM80.539%2019.1a3.787%203.787%200%200%201-3.783-3.784%203.787%203.787%200%200%201%203.783-3.783%203.787%203.787%200%200%201%203.783%203.784%203.787%203.787%200%200%201-3.783%203.783Zm0-11.6c-4.313%200-7.82%203.507-7.82%207.82%200%204.313%203.507%207.82%207.82%207.82%201.372%200%202.66-.357%203.78-.982v.982h4.036V15.32c.004-4.313-3.503-7.82-7.816-7.82ZM41.806%2018.71a5.512%205.512%200%200%201-4.34%202.1%205.55%205.55%200%200%201-5.541-5.541%205.55%205.55%200%200%201%205.542-5.543c1.696%200%203.279.766%204.339%202.102l.088.114%201.656-1.656-.077-.092a7.865%207.865%200%200%200-6.01-2.797c-4.339%200-7.871%203.533-7.871%207.872s3.532%207.871%207.871%207.871a7.865%207.865%200%200%200%206.01-2.797l.077-.091-1.656-1.656-.088.113ZM19.479%207.397c-4.34%200-7.872%203.53-7.872%207.872%200%204.342%203.533%207.871%207.872%207.871a7.883%207.883%200%200%200%207.205-4.71l.081-.18H24.15l-.037.058a5.543%205.543%200%200%201-10.05-1.873h13.2l.015-.11c.048-.357.073-.714.073-1.053%200-4.346-3.529-7.875-7.871-7.875Zm-5.417%206.705a5.54%205.54%200%200%201%205.417-4.376%205.54%205.54%200%200%201%205.417%204.376H14.06ZM46.192%2023.14h2.33v-8.847a4.599%204.599%200%200%201%204.593-4.592%204.599%204.599%200%200%201%204.592%204.592v8.844h2.33v-9.149h-.008a6.887%206.887%200%200%200-2.082-4.648%206.89%206.89%200%200%200-4.832-1.972%206.863%206.863%200%200%200-4.593%201.751V.545h-2.33V23.14ZM2.686%207.393H0v2.33h2.686v8.471a4.944%204.944%200%200%200%204.94%204.939h2.435v-2.33H7.625a2.613%202.613%200%200%201-2.609-2.612V9.726h3.772v-2.33H5.016V1.84h-2.33v5.553ZM101.968%208.457a7.721%207.721%200%200%200-2.547-.858c-.088-.014-.177-.03-.265-.04-.1-.011-.199-.022-.302-.03a9.993%209.993%200%200%200-.574-.029c-.022%200-.04-.004-.062-.004h-.037c-4.313%200-7.82%203.507-7.82%207.82%200%204.313%203.507%207.82%207.82%207.82h.037c.25%200%20.496-.014.743-.04l.037-.003a7.742%207.742%200%200%200%203.003-.939v.979h4.037L106.005.537h-4.037v7.92Zm0%206.863a3.788%203.788%200%200%201-3.769%203.78%203.786%203.786%200%200%201-3.76-3.78c0-2.08%201.688-3.772%203.764-3.78a3.787%203.787%200%200%201%203.765%203.78ZM119.75%2023.11h4.037V15.299c-.011-4.302-3.515-7.798-7.82-7.798-4.313%200-7.821%203.507-7.821%207.82%200%204.313%203.508%207.82%207.821%207.82%201.372%200%202.66-.357%203.783-.982v.953Zm-3.783-4.01a3.786%203.786%200%200%201-3.783-3.784%203.786%203.786%200%200%201%203.783-3.783%203.79%203.79%200%200%201%203.783%203.78v.003a3.787%203.787%200%200%201-3.783%203.784ZM132.273%207.5a5.824%205.824%200%200%200-5.818%205.818v9.822h4.037v-9.822a1.78%201.78%200%200%201%201.777-1.777h2.841V7.5h-2.837ZM173.736%2020.807a5.534%205.534%200%200%201-5.527-5.527%205.534%205.534%200%200%201%205.527-5.528%205.535%205.535%200%200%201%205.528%205.528%205.535%205.535%200%200%201-5.528%205.527Zm0-13.399a7.852%207.852%200%200%200-5.527%202.274V7.393h-2.344V30h2.344v-9.127a7.836%207.836%200%200%200%205.527%202.275c4.339%200%207.872-3.533%207.872-7.872s-3.533-7.868-7.872-7.868ZM186.735%2023.14h-2.385v-9.81a5.84%205.84%200%200%201%205.833-5.834h2.848v2.385h-2.848a3.45%203.45%200%200%200-3.448%203.448v9.811ZM202.813%209.774a5.535%205.535%200%200%200-5.528%205.528%205.535%205.535%200%200%200%205.528%205.527%205.534%205.534%200%200%200%205.527-5.527%205.534%205.534%200%200%200-5.527-5.528Zm0%2013.4c-4.339%200-7.872-3.533-7.872-7.872%200-4.34%203.533-7.872%207.872-7.872s7.872%203.53%207.872%207.872c0%204.339-3.533%207.871-7.872%207.871Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h210.68v30H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
Key Capabilities
Sub-Minute Severance
Physical path disconnection across all network zones completes within 90 seconds of an authorised command, stopping lateral movement faster than any software-based containment.
Unreachable Control-Plane Baselines
Verified control-plane baselines held by the Archive module have no live network path to production. Ransomware cannot encrypt what it cannot reach.
Pre-Positioned Segmentation
Network segments are physically separated during normal operations, limiting the blast radius before an incident occurs.
Multi-Party Authorisation
Emergency severance and recovery operations require multiple authorised parties, preventing a single compromised account from interfering with the response.
Tamper-Proof Forensics
All network path changes, access events, and recovery operations are logged to physically disconnected storage that cannot be altered by the attacker.
Regulatory Evidence
Automated compliance logging provides the evidence required for ICO notification, NIS2 incident reporting, and cyber insurance claims.
Demo to Live
Adoption Guide
Lateral Movement Audit
Map every network path that ransomware could traverse between segments, identifying backup infrastructure reachability and inter-site connections.
Containment Architecture
Design physical segmentation zones with Firebreak points at every critical boundary and Archive positions for verified control-plane baselines.
Tabletop Exercise
Simulate a ransomware detonation scenario with physical path severance, testing response times, multi-party authorisation, and restoration from verified control-plane baselines.
Production Deployment
Deploy across all network zones with automated alerting integration, continuous compliance evidence generation, and scheduled recovery copy rotation.
Lateral Movement Audit
Map every network path that ransomware could traverse between segments, identifying backup infrastructure reachability and inter-site connections.
Containment Architecture
Design physical segmentation zones with Firebreak points at every critical boundary and Archive positions for verified control-plane baselines.
Tabletop Exercise
Simulate a ransomware detonation scenario with physical path severance, testing response times, multi-party authorisation, and restoration from verified control-plane baselines.
Production Deployment
Deploy across all network zones with automated alerting integration, continuous compliance evidence generation, and scheduled recovery copy rotation.
Explore More
Control for Critical Infrastructure
National-grade security for essential services.
Learn more about Control for Critical InfrastructureInsider Threat Mitigation
Remove persistent access outside operational windows.
Learn more about Insider Threat MitigationFV-Firebreak
Emergency network severance on demand.
Learn more about FV-FirebreakQuestions