220-1102 Question #187: Real Exam Question with Answer & Explanation

The correct answer is D: Disconnect the machine from the network. When files in a user's folder appear 'Changed' with a new file extension, indicating a likely ransomware infection, the first and most critical action is to disconnect the machine from the network.

Security

Question

A technician received a call stating that all files in a user's documents folder appear to be Changed, and each of the files now has a look file extension. Which pf the following actions is the FIRST step the technician should take?

Options

ARuna live disk clone.
BRun a full antivirus scan.
CUse a batch file to rename the files-
DDisconnect the machine from the network

Explanation

When files in a user's folder appear 'Changed' with a new file extension, indicating a likely ransomware infection, the first and most critical action is to disconnect the machine from the network.

Common mistakes.

A. Running a live disk clone is a good step for forensic analysis and data recovery, but it should happen after the machine is isolated to prevent further spread of the infection.
B. Running a full antivirus scan is necessary to identify and remove the ransomware, but it should be done after the machine is isolated from the network to prevent further infection or data exfiltration.
C. Using a batch file to rename the files will not decrypt them and could potentially complicate recovery efforts by making it harder for decryption tools to identify the original file types.

Concept tested. Incident response-ransomware containment

Topics

#Ransomware#Malware containment#Incident response#Network security

Community Discussion

No community discussion yet for this question.

Full 220-1102 Practice Browse All 220-1102 Questions