A multinational corporation has just detected a ransomware attack that encrypted critical files on a file server. The incident response team has been activated. Which of the following should be the FIRST action taken by the team?
Trap 1: Restore encrypted files from backup
Restoration should occur after containment and forensic analysis.
Trap 2: Reboot the file server to clear the encryption
Rebooting may lose volatile evidence and does not remove encryption.
Trap 3: Notify law enforcement
Notifying law enforcement is important but not the first step; containment is priority.
- A
Restore encrypted files from backup
Why wrong: Restoration should occur after containment and forensic analysis.
- B
Reboot the file server to clear the encryption
Why wrong: Rebooting may lose volatile evidence and does not remove encryption.
- C
Isolate the affected systems from the network
Isolation stops the ransomware from spreading and limits damage.
- D
Notify law enforcement
Why wrong: Notifying law enforcement is important but not the first step; containment is priority.