Ransomware is actively encrypting file shares across the network right now. What is your first priority?
Short answer
Containment beats premature recovery: stop the spread by isolating affected segments and killing the propagation path — disable the abused service account, block SMB between segments, pull the staging host — while preserving evidence, then eradicate and recover. Restoring into a network that's still encrypting just re-loses the restored data. Paying the ransom doesn't stop active encryption and carries legal and sanctions risk. Cutting power to every machine destroys volatile evidence and can corrupt files mid-write, making clean recovery harder.
When ransomware is actively encrypting, every second of spread is more destroyed data and more hosts to recover. The instinct of a weaker responder is to start restoring or to make the encryption stop by paying — both of which fail because they ignore that the propagation engine is still running. The correct first priority is containment.
Why containment comes first
Modern ransomware spreads via abused privileged accounts, SMB, PsExec/WMI, GPO, or compromised RMM tooling. If you don't cut that path, the blast radius keeps growing. Containment means: isolate affected network segments, disable the compromised service/domain account the malware is using to authenticate, block SMB between segments, and take the staging/distribution host offline. Do this while preserving evidence — you'll need the IOCs and the initial-access story for scoping and eradication. Only after the spread is stopped and you've eradicated persistence do you move to recovery from known-clean backups.
Why the other options are wrong
- Restore from backups immediately — restoring into a network that is still encrypting means your freshly restored shares get encrypted too. You burn your recovery window and may re-lose data. Recovery is the last phase, not the first.
- Pay the ransom — payment does nothing to halt encryption already in progress, may violate sanctions/legal obligations, funds the adversary, and offers no guarantee of a working decryptor. It also leaves the intrusion and persistence intact.
- Cut power at the breakers — a sledgehammer that destroys volatile evidence (memory, encryption keys sometimes still resident, live process state) and can corrupt files mid-write, leaving systems in an inconsistent state that's harder to recover. Targeted isolation achieves containment without the collateral damage.
What the interviewer is probing
They want a senior responder who sequences the IR lifecycle correctly under pressure — contain, then eradicate, then recover — and who identifies and severs the propagation mechanism rather than chasing individual encrypted hosts. Naming the abused account and SMB as the things to cut, while preserving evidence, signals real operational maturity.
Likely follow-ups
- How do you isolate segments fast without losing the forensic evidence you'll need for scoping?
- What propagation paths beyond SMB would you check — GPO, PsExec, RMM tooling, scheduled tasks?
- When is restoring from backup safe, and how do you verify the backups themselves aren't encrypted or backdoored?