While investigating a security event, an analyst finds evidence that a user opened an email attachment from an unknown source.
Shortly after the user opened the attachment, a group of servers experienced a large amount of network and resource activity.
Upon investigating the servers, the analyst discovers the servers were encrypted by ransomware that is demanding payment within 48 hours or all data will be destroyed.
The company has no response plans for ransomware.
Which of the following is the NEXT step the analyst should take after reporting the incident to the management team?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
The correct answer is B. Isolate the servers to prevent the spread.
Explanation: The first step the analyst has taken is to report the incident to the management team. The next step should be to isolate the infected servers to prevent further spread of the ransomware to other systems on the network. This will help contain the attack and limit the damage.
Paying the ransom within 48 hours (Option A) is not a recommended course of action. Paying the ransom encourages the attackers to continue their activities, and there is no guarantee that paying the ransom will result in the return of the encrypted data. Furthermore, it is illegal in some countries to pay a ransom.
Notifying law enforcement (Option C) is a recommended action but is not the next step to take. Law enforcement can help with the investigation, but the priority at this stage should be to contain the attack.
Requesting the affected servers to be restored immediately (Option D) is not a recommended course of action at this stage. Before restoring the servers, the ransomware must be removed, and the system should be fully secured to prevent future attacks. Otherwise, the same thing may happen again, and the organization will be in the same situation.
In summary, the next step the analyst should take after reporting the incident to the management team is to isolate the infected servers to prevent further spread of the ransomware.