nerdexam
ExamsCS0-003Questions#218
CompTIACompTIA

CS0-003 · Question #218

CS0-003 Question #218: Real Exam Question with Answer & Explanation

The correct answer is D: Search for other mail users who have received the same file. Searching for other mail users who have received the same file is the best activity to perform next, as it helps to identify and contain the scope of the ransomware attack and prevent further damage. Ransomware is a type of malware that encrypts files on a system and demands paym

Submitted by wei.xz· Mar 6, 2026Incident Response Management

Question

A security analyst discovers an ongoing ransomware attack while investigating a phishing email. The analyst downloads a copy of the file from the email and isolates the affected workstation from the network. Which of the following activities should the analyst perform next?

Options

  • AWipe the computer and reinstall software
  • BShut down the email server and quarantine it from the network
  • CAcquire a bit-level image of the affected workstation
  • DSearch for other mail users who have received the same file

Explanation

Searching for other mail users who have received the same file is the best activity to perform next, as it helps to identify and contain the scope of the ransomware attack and prevent further damage. Ransomware is a type of malware that encrypts files on a system and demands payment for their decryption. Ransomware can spread through phishing emails that contain malicious attachments or links that download the ransomware. By searching for other mail users who have received the same file, the analyst can alert them not to open it, delete it from their inboxes, and scan their systems for any signs of infection. The other activities are not as urgent or effective as searching for other mail users who have received the same file, as they do not address the immediate threat of ransomware spreading or affecting more systems. Wiping the computer and reinstalling software may restore the functionality of the affected workstation, but it will also erase any evidence of the ransomware attack and make recovery of encrypted files impossible. Shutting down the email server and quarantining it from the network may stop the delivery of more phishing emails, but it will also disrupt normal communication and operations for the organization. Acquiring a bit-level image of the affected workstation may preserve the evidence of the ransomware attack, but it will not help to stop or remove the ransomware or decrypt the files.

Topics

#ransomware#incident response#containment#phishing analysis

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CS0-003 PracticeBrowse All CS0-003 Questions