A user calls the help desk saying they cannot log into their Windows 10 workstation because a message claims their files are encrypted and they must pay a ransom. What is the most effective remediation approach?
This isolates the infection and recovers the data without paying, following best practices for ransomware remediation.
Why this answer
Option C is correct because ransomware encrypts files with a key known only to the attacker, making decryption without the key impossible. Disconnecting from the network prevents the ransomware from spreading to other systems, and restoring from a verified backup is the only reliable way to recover the original files without paying the ransom.
Exam trap
CompTIA often tests the misconception that removing the malware (via Safe Mode or System Restore) will undo the encryption, when in fact encryption is a cryptographic operation that persists after the malware is gone.
How to eliminate wrong answers
Option A is wrong because paying the ransom does not guarantee the attacker will provide a working decryption key, and it encourages further criminal activity. Option B is wrong because rebooting into Safe Mode and running a malware scan can remove the ransomware executable but cannot decrypt files that are already encrypted; the encryption persists. Option D is wrong because System Restore does not affect user files; it only restores system files and registry settings, leaving the encrypted files unchanged.