February 2025 marked a grim milestone: 1,000 known ransomware attacks in a single month, the worst on record. Behind that number sits a technical reality that IT teams don’t see coming. When ransomware strikes, many are watching it happen through the wrong lens.

The missing insight? EDR solutions show you the victim of the encryption, not the attacker. That difference matters when seconds count.

The blind spot that can cost millions

A DFIR Report investigation documents how this plays out in real attacks. BlackCat operators compromised an organization through a Nitrogen malware campaign, then used PsExec to remotely execute ransomware across network systems. Security teams saw encryption activity on victim endpoints, but the attack was being orchestrated remotely from a different machine.

This is exactly the attribution gap that delays containment. When ransomware encrypts files over network shares, the victim endpoint’s logs record the activity as if it were initiated on that machine. In reality, the encryption is being triggered remotely from another system on the network. IT teams see symptoms on dozens of endpoints without realizing that a single infected host is causing the damage.

CISA’s 2025 advisory on Play ransomware highlighted PsExec and other legitimate tools used “to assist with lateral movement and file execution.” This “living off the land” approach leverages the same administrative tools IT teams use every day. Attackers abuse them to move laterally through networks and remotely encrypt files across SMB shares. 

Traditional EDR captures the file modifications on victim machines but misses the critical detail: which system initiated the attack. Without that attribution, security teams can’t isolate the source, stop the spread, or understand the full scope of compromise.

ThreatDown EDR closes this gap with network ransomware rollback.

Network ransomware rollback

ThreatDown EDR‘s network ransomware rollback fills this detection gap with four specific data points:

1. IP address and hostname of the attacking endpoint reveal the source machine initiating remote encryption.
2. Remote port used in the connection enables security teams to identify the exact network session and potentially spot command-and-control (C&C) channels.
3. Remote user ID and username shows which compromised account the attackers used to authenticate across network shares.

ThreatDown captures these details in file activity logs, the same audit trail that tracks how files are accessed, modified, or encrypted across the system. And ThreatDown network ransomware rollback enriches those logs with the network-layer context that other endpoint monitoring doesn’t record.

The technical implementation matters here. When a remote system accesses files over SMB, the Windows kernel on the victim machine handles the I/O operations. Standard EDR sees kernel-mode activity. ThreatDown’s network ransomware rollback intercepts and logs the network authentication and connection metadata before the kernel processes the file operations. That’s the mechanism that reveals the true attack source.

From detection to recovery

The real power of ThreatDown’s network ransomware rollback is in how it transforms the entire response process. ThreatDown EDR reveals where an attack was initiated and provides a direct path to recover impacted systems. By integrating network-layer visibility with endpoint rollback, ThreatDown bridges the gap between detection and recovery, so teams can contain faster, restore smarter, and maintain business continuity even when backups fail.

ThreatDown’s network ransomware rollback delivers operational impact in three areas:

Faster root-cause analysis 

Security teams immediately identify which endpoint launched the attack, and don’t waste hours correlating logs across 50 infected machines trying to find patient zero. ThreatDown’s file activity logs show you the source IP and hostname in the first alert.

Targeted containment

Isolate the attacking machine from the network, not just the victims showing encryption activity. This stops the spread before the attacker pivots to additional shares or systems. ThreatDown’s 2025 State of Ransomware Report highlights that attackers exploit “blind spots” like unknown computers, under-protected endpoints, and ESXi hypervisors without EDR. ThreatDown’s network ransomware rollback makes those blind spots visible when they start attacking other systems.

Rapid recovery

ThreatDown turns detection into resilience. Its rollback capability maintains a seven-day cache of file states for data modified through remote access. When you identify the attacking source, you can restore files that were encrypted or modified by that specific remote system, without relying on Windows vssadmin, which attackers routinely disable or delete.

This capability matters because traditional backup strategies often fail under real attack conditions. ThreatDown research shows that an increasing number of organizations lack reliable or accessible backups during ransomware incidents. Attackers frequently target backup servers and repositories to increase leverage. Network ransomware rollback gives defenders a self-contained recovery layer that remains intact even when external backup systems are wiped or encrypted.

Why this matters now

Ransomware attacks increased 25% year-over-year from July 2024 to June 2025, while the number of active groups doubled in just three years, surpassing 60 for the first time. Once dominated by a few major players, the landscape has fractured. The ten most active groups account for only half of all attacks, down from nearly 70% the year before. This fragmentation changes the defensive calculus. 

You’re no longer defending against a handful of predictable groups with well-documented TTPs. You’re facing a constant churn of new crews, new tools, and new playbooks. 

And they’re attacking after hours. Most intrusions begin between 1 AM and 5 AM, when few people are watching. Attackers move quietly through legitimate utilities like PowerShell, WMI, and RDP to avoid detection. They breach ESXi hypervisors that lack endpoint protection and exploit forgotten or unmanaged systems that fall outside routine visibility. 

ThreatDown EDR closes these gaps.

Network ransomware rollback extends visibility to the attacker’s bridgehead. It captures the source attribution that turns a confusing multi-endpoint incident into a targeted response with clear containment steps and a defined recovery path.

ThreatDown EDR collects the metadata that standard Windows audit logs miss. Its file-activity logs record remote system details, while the rollback mechanism preserves pre-encryption file states. So when an attack hits your network shares at 3 AM, every data point you need to respond and recover already exists in those logs.

That’s the difference between spending hours hunting for patient zero while ransomware spreads to additional systems and immediately isolating the source machine with enough forensic evidence to understand the full attack chain. It’s the difference between paying a ransom or restoring from the seven-day cache the attackers didn’t know existed.

Ransomware cannot thrive in the daylight that EDR creates. ThreatDown’s network ransomware rollback ensures that daylight reaches the places where attackers think they’re invisible.