What are common signs of ransomware and best practices for incident containment and recovery?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Get ready for the Cybersecurity and Digital Forensics Test with comprehensive multiple choice questions, flashcards, and detailed explanations. Enhance your skills and prepare for success in the digital security field!

Multiple Choice

What are common signs of ransomware and best practices for incident containment and recovery?

Explanation:
Ransomware is most clearly signaled by quickly locked or encrypted files across systems and a ransom note demanding payment. Recognizing those signs early helps you act fast to limit damage and preserve useful data for later recovery. Containment should focus on stopping the attacker from encrypting more files and slowing or halting lateral movement. Isolating affected hosts prevents the malware from spreading to others. Disabling or restricting network shares and privileged access helps block the attacker from reaching additional systems and data. Preserving evidence—logs, disk images, and other artifacts—ensures you have a solid trail for incident response and forensics, which supports accurate recovery decisions and potential attribution. Recovery relies on restoring clean data from trusted sources. Using known-good backups is essential, and backups should be offline or otherwise protected so they cannot be overwritten or encrypted by the ransomware. Verifying the integrity of restored data before bringing systems back online ensures you aren’t reinfecting endpoints or restoring corrupted files. Other options don’t address the core impact of ransomware. Merely acknowledging signs like unusual DNS activity doesn’t capture encryption or ransom demands, broad shutdowns can cause excessive disruption, changing DNS servers isn’t a focused containment action, and simply reinstalling applications ignores the encrypted data and how to safely restore a clean state.

Ransomware is most clearly signaled by quickly locked or encrypted files across systems and a ransom note demanding payment. Recognizing those signs early helps you act fast to limit damage and preserve useful data for later recovery.

Containment should focus on stopping the attacker from encrypting more files and slowing or halting lateral movement. Isolating affected hosts prevents the malware from spreading to others. Disabling or restricting network shares and privileged access helps block the attacker from reaching additional systems and data. Preserving evidence—logs, disk images, and other artifacts—ensures you have a solid trail for incident response and forensics, which supports accurate recovery decisions and potential attribution.

Recovery relies on restoring clean data from trusted sources. Using known-good backups is essential, and backups should be offline or otherwise protected so they cannot be overwritten or encrypted by the ransomware. Verifying the integrity of restored data before bringing systems back online ensures you aren’t reinfecting endpoints or restoring corrupted files.

Other options don’t address the core impact of ransomware. Merely acknowledging signs like unusual DNS activity doesn’t capture encryption or ransom demands, broad shutdowns can cause excessive disruption, changing DNS servers isn’t a focused containment action, and simply reinstalling applications ignores the encrypted data and how to safely restore a clean state.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy