A small business just recovered from a ransomware attack against its file servers by purchasing the decryption keys from the attackers. The issue was triggered by a phishing email and the IT administrator wants to ensure it does not happen again. Which of the following should the IT administrator do FIRST after recovery?
After recovering from a ransomware attack, the IT administrator's immediate priority should be to ensure that the system is completely free of any residual or dormant malware left by the attackers. This can be done by thoroughly scanning the network-attached storage (NAS) or any other relevant file storage systems. Additionally, implementing a solid backup strategy with new daily backups that are regularly tested is crucial to ensure the ability to recover from potential future attacks. These actions are important foundational steps before any further security hardening or patching can take place to prevent re-infection.
Initially thought it was D but after a little research agreed with B; here`s why: The IT administrator should restrict administrative privileges and patch all systems and applications to prevent future attacks. One of the common ways ransomware spreads and gains access to critical systems is through compromised administrative accounts. By restricting administrative privileges, the administrator can limit the ability of malware to spread and make unauthorized changes.
You are right, I equally thought "D" first, but the key word "FIRST" changed my mind.
It's A for two reasons. 1. they're asking what's the FIRST thing to do. Anyone would ensure the system is 100% clean from that malware. 2. Even though the other options are good protections, you cannot guarantee that you're 100% shielded. And if it happens again, you will pay again because you don't have backups.
Vote for B. the reason that A is wrong, because A said NAS, no one knows they used NAS or not. Maybe they used RAID6,,,don't use more infor than given.
B - Question asks "ensure does not happen again", this means there was a vulnerability to begin with that allowed the ransomware. A is a good option after making sure it cant happen again or else it will keep happening. From Comptia "Other best practices for avoiding ransomware include regularly updating systems to take advantage of vulnerability patches" - from https://www.comptia.org/content/articles/what-is-ransomwar From Professer Messer - "If they find a backup, they will also encrypt the backup that you’ve created. This is also why we tell people to always maintain the security patches on your system so that all of those known vulnerabilities are not available to this ransomware" https://www.professormesser.com/security-plus/sy0-601/sy0-601-video/ransomware-and-crypto-malware-2/#google_vignette
After recovering from a ransomware attack triggered by a phishing email, the FIRST step the IT administrator should take is: B. Restrict administrative privileges and patch all systems and applications. Restricting administrative privileges helps mitigate the impact of future attacks by limiting the ability of malware to spread and execute malicious actions with elevated privileges. Patching all systems and applications ensures that known vulnerabilities are addressed, reducing the attack surface and strengthening the overall security posture of the IT environment. While options such as scanning for residual malware, taking new backups, rebuilding workstations, and implementing application whitelisting are important security measures, addressing administrative privileges and patching systems and applications are immediate priorities to prevent similar attacks from occurring again.
Always use recent backups to recover from a ransomware attack. A says to take new daily backups, WRONG. The problem was caused by an administrator account as a small business, not enterprise. By restricting administrative privileges, the organization can reduce the risk of unauthorized changes to systems and applications, which could potentially lead to malware infections.
Best way to protect yourself from a Ransomware attack is having a good backup process.
Here's why I think its B, it saying what do first after recovery, A does not fall into things to do after recovery, A falls into eradication. B makes the most realistic sense with the information provided.
Restrict administrative privileges and patch all systems and applications. This should be done after recovery to prevent further attacks.
shouldn't the area be first secured? then you start patching I am between A&B I feel A is more correct.
Quick google search: "90 per cent of ransomware strains do not require admin rights." The answer is A
A. Scan the NAS for residual or dormant malware and take new daily backups that are tested on a frequent basis
B makes more sense
the question is about "what FIRST" so answer A is the most appropriate
It’s B. A is a good idea, but I think B takes priority. Also A mentions a NAS but it was never mentioned in the questions scenario so that makes me even more skeptical that it would be A.
By restricting administrative privileges, the organization can reduce the risk of unauthorized changes to systems and applications, which could potentially lead to malware infections. Additionally, patching all systems and applications ensures that known vulnerabilities are addressed, making it more difficult for attackers to exploit weaknesses in the system.
D:. Containment and remediation are the first step and since the question says IT administrator account was used to spread virus, those rights have to be removed first or else the systems will re-encrypt themselves after you apply the key. Patching would also prevent re-infection. D: would be applied after the Lessons Learned, and since it's not the first step, it's not the right anwer