When the SOC Goes to Deadwood: A Night to Remember 

A first-person account of Black Hills Information Security's SOC responding to an active ransomware incident discovered during a company conference. The attackers exploited EDR exclusions to execute malicious binaries, delete VSS shadows, create scheduled tasks, and establish command-and-control and lateral movement. The entire SOC rapidly collaborated—removing exclusions, feeding IOCs, and performing containment actions—which stopped the ransomware before backups were impacted and prevented a ransom payment.