220-1102 Question #160: Real Exam Question with Answer & Explanation

Question

A technician received a call stating that all files in a user's documents folder appear to be changed, and each of the files now has a .lock file extension. Which of the following actions is the FIRST step the technician should take?

Options

• ARun a live disk clone.
• BRun a full antivirus scan.
• CUse a batch file to rename the files.
• DDisconnect the machine from the network.

Explanation

The presence of '.lock' file extensions on all documents strongly indicates a ransomware attack, requiring immediate network disconnection to prevent further encryption or spread.

Common mistakes.

• A. Running a live disk clone is a good step for forensic analysis or recovery, but it should be done after isolating the threat to prevent further damage or spread, not as the very first immediate action.
• B. Running a full antivirus scan is an important step, but it should happen after the machine is isolated from the network to prevent the malware from potentially communicating with command and control servers or spreading further during the scan.
• C. Using a batch file to rename the files would be futile and potentially damaging, as the files are encrypted, not just renamed; renaming them would not decrypt them and might complicate recovery efforts.

Concept tested. Incident response, ransomware mitigation, network security

Reference. learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/investigate-respond-alerts-microsoft-defender-for-endpoint?view=o365-worldwide#responding-to-an-incident

No community discussion yet for this question.