CiscoCisco
300-215 · Question #122
300-215 Question #122: Real Exam Question with Answer & Explanation
The correct answer is D: Isolate impacted systems. Active ransomware must be contained first to stop propagation and data loss. Full forensic acquisition comes after isolation.
Submitted by hans_de· Mar 6, 2026Incident Response Techniques
Question
Which step should occur IMMEDIATELY after identifying ransomware actively encrypting files on multiple hosts?
Options
- ARestore from backup
- BDisable affected user accounts
- CCapture forensic disk images
- DIsolate impacted systems
Explanation
Active ransomware must be contained first to stop propagation and data loss. Full forensic acquisition comes after isolation.
Topics
#Incident response#Ransomware#Containment#System isolation
Community Discussion
No community discussion yet for this question.