What is ransomware, and walk me through how you respond once it is actively encrypting systems.
Short answer
Ransomware is malware that encrypts (and increasingly exfiltrates) data, then demands payment. In an active case: isolate affected hosts from the network without powering them off if you can preserve memory, identify scope, patient zero, and the strain, preserve evidence, find and evict the foothold and any backdoors, then restore from known-clean offline backups. Paying is a last resort and never guarantees recovery.
Ransomware is malware that denies access to data, classically by encrypting files and demanding payment for the key. Modern operators add double extortion — stealing data first and threatening to leak it — so even perfect backups do not remove the leverage. Interviewers want a calm, ordered response, not panic.
Contain first
The priority is to stop the spread. Isolate affected hosts — pull network access, disable accounts, segment the VLAN — ideally without powering machines off, because RAM holds keys, injected code, and other volatile evidence that vanishes on shutdown. If a host must go down to save data, document the decision.
Scope and identify
Determine how far it spread, find patient zero and the initial access vector (phishing, exposed RDP, an unpatched VPN), and identify the strain (ransom note, file extension, sample on ID-Ransomware). Knowing the strain tells you whether a free decryptor exists and how the group typically operates.
Eradicate and recover
Find and remove the foothold and any backdoors or new accounts the operators created — restoring while the attacker still has access just gets you re-encrypted. Then recover from known-clean, offline or immutable backups, rebuilding rather than trusting compromised hosts. Reset credentials broadly, since they were likely harvested. Throughout, preserve evidence for forensics, insurance, and any law-enforcement engagement.
On paying
Treat payment as a last resort: it funds crime, may breach sanctions, does not guarantee a working decryptor, and does not undo data theft. The decision is legal and executive, not the analyst's.
Why this matters
A strong answer follows the IR lifecycle, leads with isolation over panic-shutdown, stresses evidence preservation and clean offline backups, and shows awareness that exfiltration changes the calculus. That signals composure under one of the highest-pressure incidents a SOC faces.
Likely follow-ups
- Why isolate rather than immediately power off an infected machine?
- What is 'double extortion' and how does it change the response?
- Why must backups be offline or immutable to be trustworthy here?