Kill Switch for Ransomware: Mitigating Threats Smartly and Instantly

Airgap Networks
4 min readFeb 24, 2021


When WannaCry struck, organizations worldwide feared they would be next until an unsuspecting hero appeared, sink-holing the worm with a kill switch[1]. Since then, security defenders beyond all sectors have been trying to devise their kill switch.


The term “kill switch” usually refers to a way to disconnect specific networks from the internet in the event of a grave attack, and traditionally it has only been applied in emergencies. They often are discovered by researchers after an attack has been identified, but they also can be built-in mechanisms.

In the setting of cyberthreats, though, a kill switch associates with stopping the attack itself instead of just stopping its effects while the attack is continuing, which many defenses focus on.

How Does the Ransomware Kill Switch Work?

The kill switch not only stops any external communications from the malware, it often stimulates the malware completely removing itself from any infected systems, terminating processes that are running, deleting any associated files, and even going to the measures of removing any incriminating system log entries. In one word, stopping its own effects.

The more immediate groups can detect the attack and activate the kill switch, if there is one that can be initiated, the less chance of significant damage from the attack. Even if attackers have developed an auto-destruction engine, security researchers typically only find them after an attack.

For defenders attempting to separate networks or support lateral client undesired communication, it’s a matter of designing control points that can be stimulated quickly and across a domain. The more challenging part is the discovery and confidence that a real attack is initiated to justify disrupting business.

Can the Kill Switch Be Applied to Prevent Cyberattacks?

For those organizations that are victims of an attack, the kill switch is reactive, and, in most cases, applying it can limit the degree of damage from an attack. In short, a kill switch does not deter an attack from occurring. Given that the kill switch would be extremely disruptive to most businesses and downright dangerous for important infrastructure systems, it’s unlikely that businesses would want this to be automatically triggered. On the other side, it’s the only and best way to avoid ransomware propagation, it’s the last resort but a real need.

If protectors can devise their kill switch to use once they know they are under attack, they can obstruct external communications as a first step to shutting down the attack.

What does Ransomware Kill Switch protect?

· By obstructing lateral propagation of the ransomware and ring-fencing all IP device communications, the Ransomware Kill Switch can protect all endpoints within an organization even when you are hit by malware campaign

· By blocking the entrance to windows file-share, AD, storage, and backup services, Ransomware Kill Switch guarantees the key resources are protected when an organization is under attack;

· By blocking access from the servers to mission-critical services such as ERP, CRM, etc., the Ransomware Kill Switch ensures that your employee and customer’s data is shielded.

Ransomware Kill Switch

Created on top of Zero Trust Isolation™ Software-as-a-Service (SaaS) platform, Airgap’s Ransomware Kill Switch™ decreases the propagation of ransomware on a network[2]. As soon as malware is identified, “1-Click” instantly stops all lateral traffic, separating and containing any ransomware to infected devices.

Additionally, Airgap proposes complete control of the Ransomware Kill Switch via APIs so that the IT organization can leverage existing tools such as SIEM, SOAR, and EDRs for active ransomware response.

Airgap’s patent-pending solution is the industry’s only solution that immediately locks down the entire network with a “1-click”. Augmenting existing security tools, Airgap’s Ransomware Kill Switch™ can be disposed on a network in minutes without any agents, forklift upgrades, or design modifications.

When activated, Ransomware Kill Switch stops lateral network-level communication within the protected VLANs, immediately stopping lateral ransomware propagation. Additionally, the Ransomware Kill Switch can instantly preserve an organization’s crown jewels such as backup, ERP, or domain controller with a click of a button.

About Airgap

Ransomware threats are growing rapidly. While there are a whole bunch of security companies that are trying to prevent ransomware from getting into your network, Airgap’s “Zero Trust Isolation Platform” protects your organization even if your perimeter is breached or if you have unpatched vulnerable servers inside your data center. Additionally, Airgap’s “Ransomware Kill Switch” is the most potent ransomware response for the IT organization. Airgap can be deployed in minutes without any agents, forklift upgrades, or design changes. The company is founded by highly experienced cybersecurity experts and the solution is trusted by large enterprises and service providers. For more details, check out






Airgap Networks

Zero Trust Isolation — The Best Defense Against Ransomware Propagation.