CompTIA Security+ (SY0-601) — Question 488

A small business just recovered from a ransomware attack against its file servers by purchasing the decryption keys from the attackers. The issue was triggered by a phishing email and the IT administrator wants to ensure it does not happen again. Which of the following should the IT administrator do FIRST after recovery?

Answer options

• A. Scan the NAS for residual or dormant malware and take new daily backups that are tested on a frequent basis.
• B. Restrict administrative privileges and patch all systems and applications.
• C. Rebuild all workstations and install new antivirus software.
• D. Implement application whitelisting and perform user application hardening.

Correct answer: B

Explanation

The correct answer is B because restricting administrative privileges and patching all systems and applications addresses the vulnerabilities exploited during the attack, reducing the risk of future incidents. Options A, C, and D, while important, do not directly address the immediate security weaknesses that allowed the ransomware to penetrate the system initially.