But the damage was done. Twelve critical customer databases were a crypted mess. The backups? Those had been online and mounted—because SEP had been snoozed when the attacker ran the list-volume and delete-shadow commands.
Miles ran to the server room, pulling an emergency KVM. He logged directly into a workstation. The SEP interface was still amber. The countdown read: Symantec Endpoint Protection Is Snoozed Windows 11
At 3:12 AM, the finance server’s drive began to encrypt. Not slowly—instantly. Files named Q3_Report.pdf became Q3_Report.pdf.encrypted_crypt . The screen wallpaper on every Windows 11 machine flipped to a single line of red text: “Your watchdog is dreaming. Pay us to wake it.” But the damage was done
SEP was awake.
From that night on, every admin at Helix had a sticky note on their monitor: Those had been online and mounted—because SEP had
It instantly saw the ransomware. It killed the processes. It rolled back the shadow copies from its own buffer. It re-quarantined the macro. By 3:16 AM, the active infection was dead.