File shares show rapid encryption and ransom-note creation from one workstation. What is the best immediate containment action? During containment, which decision is most defensible?
Containment should stop encryption spread while preserving evidence for analysis. In containment, responders need action that reduces risk while preserving the investigation record.
Why this answer
Option D is correct because the immediate priority is to stop the ransomware from encrypting more data and spreading laterally. Isolating the workstation (e.g., disabling its network interface or disconnecting the cable) and terminating its active SMB sessions to file servers cuts off the encryption process at the source, preventing further damage while preserving forensic evidence.
Exam trap
The CS0-003 exam often tests the principle that containment must be immediate and technical (e.g., isolating the host) rather than investigative (scanning) or restorative (backups), and the trap here is that candidates may think scanning or restoring is a valid first step, when in fact it wastes critical time during active encryption.
How to eliminate wrong answers
Option A is wrong because running vulnerability scans is a time-consuming, passive step that does nothing to halt active encryption or lateral movement; containment must come first. Option B is wrong because restoring backups before isolating the host risks re-infection if the ransomware is still active on the network, and it violates the containment-first principle of incident response. Option C is wrong because emailing the ransom note to all users is not a containment action; it may cause panic, spread misinformation, and does not stop the encryption or disable the attacker's access.