Stop Remote Ransomware Attacks with Falcon Endpoint Security

Ransomware is a rapidly evolving threat, with attackers increasingly turning to remote techniques that target network shares. To help defend against these tactics, CrowdStrike Falcon® Prevent endpoint security includes a capability called File System Containment, which is precision-focused to block malicious file system actions over Windows Server Message Block (SMB) shares, halting encryption as soon as possible. Threat actors commonly abuse the SMB protocol to encrypt and exfiltrate data across network shares, bypassing traditional protections. These attacks often originate from unmanaged systems or involve compromised credentials, allowing adversaries to move laterally, encrypt sensitive data, and disrupt business operations without executing malicious code directly on a target device.

Watch how it works:

How Ransomware Uses SMB to Evade Detection

SMB-based ransomware attacks are difficult to stop because they often originate from systems where an endpoint detection and response (EDR) sensor has not been installed, giving adversaries a way to move undetected. Using stolen credentials, attackers can access network shares and trigger file encryption without delivering ransomware to the target endpoint.

Operating remotely, adversaries can delete backups and deploy additional payloads across the environment, accelerating impact while sidestepping process-based defenses. This technique creates a dangerous blind spot that many organizations struggle to monitor or contain.

CrowdStrike has observed these techniques across a wide range of ransomware operations in the wild. CrowdStrike research shows access to unmanaged systems was central to big game hunting (BGH) ransomware operations throughout 2024. Adversaries commonly exploit unmanaged internet-facing systems to gain initial access, then locate internal systems for staging, lateral movement, and remote encryption. 

Adversaries such as PUNK SPIDER and WANDERING SPIDER have been observed accessing unmanaged systems to remotely encrypt files over SMB shares. In other cases, BGH adversaries dumped credentials from backup tools or staged additional tools for broader compromise. But when they targeted Falcon-protected systems, those same actions were immediately stopped.

These tactics are part of a broader shift. As adversaries increasingly rely on unmanaged infrastructure to evade detection, defenders need containment that works holistically, regardless of how or where the attack begins.

Stop the Spread with File System Containment

To combat this threat, Falcon Prevent includes remote ransomware prevention via File System Containment, which is designed to automatically block ransomware at the file access level, stopping destructive activity even if it originates from outside of your managed environment.

File System Containment is not automatically enabled by default to give security teams full control. Enabling it is as simple as checking a single box in the Falcon UI. Once active, Falcon Prevent will block malicious behaviors like mass encryption, suspicious file modifications, and backup deletions targeting SMB shares.

When malicious activity is detected, the Falcon sensor acts immediately. It blocks destructive file system actions from the remote user, such as file writes, deletes, or modifications to network shares, without requiring network containment or broader interruption of account access.

This containment is enforced locally at the sensor level, without requiring cloud checks, to stop ransomware as quickly as possible. Internal testing shows containment can happen in under a second, minimizing the window for damage and keeping adversaries from completing their objectives. Following investigation and remediation, a Falcon analyst can restore file system access with one click.

Why SMB-Based Ransomware Requires a New Approach

Traditional defenses focus on blocking or killing malicious processes. But ransomware using SMB often operates remotely, leaving no process to kill. File System Containment closes this gap by acting on file access patterns rather than relying solely on execution-based endpoint detection.

This enables security teams to stop ransomware — even when it originates from unmanaged systems — block compromised accounts from taking destructive actions, and prevent lateral spread before it starts. It provides visibility and control to one of the most commonly exploited blind spots in modern ransomware attacks.

A Strategic Foundation for Future Containment

While today’s implementation of File System Containment is focused on halting ransomware over SMB, its underlying architecture reflects a broader evolution in endpoint defense on the Falcon platform. By enforcing surgical, behavior-based controls at the file access layer, this capability lays the groundwork for a new class of security interventions — ones that operate independently of where or how an attack originates. As adversaries continue to blur the lines between managed and unmanaged infrastructure, containment at the point of impact represents not just a tactical improvement but a strategic advantage for scaling precision defense across diverse use cases.

Bolster Defenses with Remote Ransomware Prevention

Remote ransomware prevention gives security teams precise, real-time control to stop ransomware that bypasses traditional detection. Falcon Prevent focuses on blocking destructive actions without suspending the entire user account, allowing security teams to reduce risk and neutralize threats while avoiding unnecessary business disruption. Enforced locally on the sensor, this containment feature is designed to shut down ransomware as quickly as possible, dramatically reducing potential impact. It's fast to enable, surgically targeted, and built to stop ransomware before it spreads.

Falcon Prevent subscription is required. Requires Falcon sensor for Windows version 7.21 or higher; Windows 10 v1809 or higher (x86/x64/ARM64); Windows Server 2019 or higher.

Available across all CrowdStrike clouds. Console access requires the Falcon Administrator role. Falcon Complete customers can request File System Containment to be enabled on their behalf.

Additional Resources

• See why the CrowdStrike Falcon platform earned AV-Comparatives Awards for EDR Detection and Mac Security.
• Learn more about the 2025 Gartner Peer Insights™ Voice of the Customer for Endpoint Protection Platforms report.
• See the Falcon platform in action in an interactive platform demo.