A company's incident response team is handling a ransomware incident that has encrypted all files on the file server and spread to several workstations. The team has isolated the affected systems and obtained memory dumps and disk images. The CEO demands immediate restoration of operations and suggests paying the ransom to decrypt files quickly. The company has recent backups but they are stored on a network share that was also encrypted. The CISO wants to ensure that the root cause is identified before restoration. As the lead incident responder, which of the following actions should you take NEXT?
Root cause analysis ensures that the vulnerability is fixed before restoration.
Why this answer
Option C is correct because analyzing the memory dumps will help identify the initial infection vector (e.g., phishing email, exploited vulnerability) and any persistence mechanisms. This information is critical to prevent reinfection after restoration. Options A and D skip root cause analysis, risking reinfection.
Option B is ill-advised and may not work.