CompTIA Security+ (SY0-501) — Question 601

A small business just recovered from a ransomware attack against its file servers by purchasing the decryption keys from the attackers. The issue was triggered by a phishing email and IT administrator wants to ensure it does not happen again. Which of the following should the IT administrator do FIRST after recovery?

Answer options

• A. Scan the NAS for residual or dormant malware and take new daily backups that are tested on a frequent basis.
• B. Restrict administrative privileges and patch all systems and applications.
• C. Rebuild all workstations and install new antivirus software.
• D. Implement application whitelisting and perform user application hardening.

Correct answer: A

Explanation

The correct answer is A because scanning for residual malware is crucial to ensure that no remnants of the ransomware remain, which could cause future infections. While options B, C, and D are also important for overall security, they do not directly address the immediate threat of undetected malware still residing on the system.