A company's file servers were encrypted by a ransomware attack. The incident response team has already contained the incident by isolating the affected servers from the network. The company maintains regular, verified backups. What is the MOST effective next step to restore the encrypted data and resume operations?
Pay the ransom to obtain the decryption key.
Analyze the ransomware's code to develop a custom decryptor tool.
Restore the data from the most recent known-good backup.
Wipe the servers and immediately deploy new security patches.
The correct answer is to restore the data from the last known-good backup. According to incident response procedures, after an attack is contained (by isolating the systems), the next phase is recovery. Since the company has reliable backups, using them is the most efficient and recommended way to restore the data without paying a ransom. Wiping the servers and patching is part of the eradication and recovery process, but it does not by itself restore the lost data. Paying the ransom is not advised because it does not guarantee data recovery and encourages further criminal activity. Attempting to develop a custom decryptor is a highly specialized, uncertain, and time-consuming process that is not a practical immediate step when good backups are available.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is restoring from the last known good backups the best response to ransomware attacks?
Open an interactive chat with Bash
What steps are included in a strict data backup policy to prepare for ransomware attacks?
Open an interactive chat with Bash
What measures should be taken immediately after a ransomware attack besides restoring from backups?