The VSA's Ransomware Protection module has the ability to execute an isolation routine on an endpoint once it detects ransomware.
This feature helps guard the rest of your environment against further ransomware infection as it prevents the offending endpoint from any further communication with other local devices by modifying the operating system's network layer, blocking all traffic with one exception -- connectivity back to the VSA server managing the endpoint.
This task does technically carry some inherent risk with it given the varied ways networks can be architected, and it should be used with an understanding that the risk introduced of potentially orphaning managed VSA agents (requriing manaul intervention to re-establish connectivity) are significantly outweighed by the further spread of crypto-ransomware.