Which of the following is the NEXT step the analyst should take after reporting the incident to the management team?

While investigating a security event, an analyst finds evidence that a user opened an email attachment from an unknown source. Shortly after the user opened the attachment, a group of servers experienced a large amount of network and resource activity. Upon investigating the servers, the analyst discovers the servers were encrypted by ransomware that is demanding payment within 48 hours or all data will be destroyed. The company has no response plans for ransomware.

Which of the following is the NEXT step the analyst should take after reporting the incident to the management team?
A . Pay the ransom within 48 hours.
B . Isolate the servers to prevent the spread.
C . Notify law enforcement.
D . Request that the affected servers be restored immediately.

View Answer

Answer: B

Explanation:

Isolating the servers is the best immediate action to take after reporting the incident to the management team, as it can limit the damage and contain the ransomware infection. Paying the ransom is not advisable, as it does not guarantee the recovery of the data and may encourage further attacks. Notifying law enforcement is a possible step, but not the next one after reporting. Requesting that the affected servers be restored immediately may not be feasible or effective, as it depends on the availability and integrity of backups, and it does not address the root cause of the attack.

Verified Reference:

https://www.comptia.org/blog/what-is-ransomware-and-how-to-protect-yourself

https://www.comptia.org/certifications/comptia-advanced-security-practitioner