During a ransomware incident, the incident response team isolates affected systems. Which of the following is the NEXT best step?
Trap 1: Wipe and rebuild all affected systems.
Wiping destroys forensic evidence needed for investigation.
Trap 2: Notify law enforcement immediately.
Notification should occur after evidence collection and internal escalation.
Trap 3: Pay the ransom to restore operations quickly.
Paying ransom encourages attackers and does not guarantee recovery.
- A
Preserve forensic evidence from the isolated systems.
Preserving evidence supports investigation and potential legal action.
- B
Wipe and rebuild all affected systems.
Why wrong: Wiping destroys forensic evidence needed for investigation.
- C
Notify law enforcement immediately.
Why wrong: Notification should occur after evidence collection and internal escalation.
- D
Pay the ransom to restore operations quickly.
Why wrong: Paying ransom encourages attackers and does not guarantee recovery.