CompTIA CySA+ (CS0-003) — Question 423

A security analyst discovers an ongoing ransomware attack while investigating a phishing email. The analyst downloads a copy of the file from the email and isolates the affected workstation from the network. Which of the following activities should the analyst perform next?

Answer options

• A. Wipe the computer and reinstall software
• B. Shut down the email server and quarantine it from the network
• C. Acquire a bit-level image of the affected workstation
• D. Search for other mail users who have received the same file

Correct answer: D

Explanation

The best course of action is to search for other mail users who have received the same file to assess the scope of the attack and prevent further infections. Wiping the computer and reinstalling software (A) is not effective without understanding the full impact, shutting down the email server (B) may not be necessary at this stage, and acquiring a bit-level image (C) could be done but is secondary to identifying other affected users.