ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam CS0-001 All Questions

View all questions & answers for the CS0-001 exam
Go to Exam

Exam CS0-001 topic 1 question 73 discussion

Actual exam question from CompTIA's CS0-001
Question #: 73
Topic #: 1
[All CS0-001 Questions]

The help desk informed a security analyst of a trend that is beginning to develop regarding a suspicious email that has been reported by multiple users. The analyst has determined the email includes an attachment named invoice.zip that contains the following files:

Locky.js -
xerty.ini
xerty.lib
Further analysis indicates that when the .zip file is opened, it is installing a new version of ransomware on the devices. Which of the following should be done
FIRST to prevent data on the company NAS from being encrypted by infected devices?

  • A. Disable access to the company VPN.
  • B. Move the files from the NAS to a cloud-based storage solution.
  • C. Set permissions on file shares to read-only.
  • D. Add the URL included in the .js file to the company's web proxy filter.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by khyle at Dec. 15, 2019, 2:29 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
slcc99
Highly Voted 5 years, 2 months ago
This question was in the exam :)
upvoted 8 times
...
[Removed]
Highly Voted 5 years, 6 months ago
B is not even close to logical. D should be the answer. What if the employees open the invoice before the email sent by admins?
upvoted 6 times
...
Kuku55
Most Recent 4 years, 4 months ago
D is correct. This is a staged attack, .js file is a downloader and its pure purpose is to download the ransomware. Blocking this will stop the attack.
upvoted 1 times
Kuku55
4 years, 4 months ago
https://blog.avast.com/lockys-javascript-downloader Question is based on this.
upvoted 1 times
...
...
Acrisius
4 years, 6 months ago
The answer is D. - Based on "The first stage of a ransomware attack is to get to your machine and execute its files. Once the executable files are run either by a user or another malicious file, it connects to the criminal's Command and Control (C&C) server and sends information about the host machine. This connection is known as call home or C2 traffic and normally uses the standard port 80 and HTTP or port 443 and HTTPS protocols."
upvoted 1 times
...
oooooga
4 years, 9 months ago
First off, this question is sorta screwed up since another version mentions emailing employees while this one doesn't. The answer is D. Ransomware works by contacting a C&C server. Blocking that domain will be far more effective than telling your employees not to access that domain. B in this case does not work because it's more of a proactive solution. Setting permissions on file-shares MIGHT work, but I'm still confident in D.
upvoted 1 times
...
Takondwa
4 years, 11 months ago
B. should be the answer, the most effective way to safeguard your data from ransom ware is by having a backup copy of your data
upvoted 1 times
...
s3curity1
5 years, 1 month ago
I don't think D is the first step to be done. Multiple users have already received the email, so adding the URL where the JS file is received will not prevent data from being encrypted, it will only prevent future downloads of the malicious zip file. On a side note, will setting permissions to read-only prevent ransomware?
upvoted 1 times
Rowlandmarc
5 years ago
quick google: https://security.stackexchange.com/questions/116371/is-denying-write-access-an-effective-way-to-stop-ransomware suggests that in reality D is correct for use in the real world
upvoted 2 times
s3curity1
5 years ago
do you mean letter C? letter C is the one related to that article you mentioned
upvoted 1 times
...
...
...
B1gK
5 years, 2 months ago
Well, i see the .js file is included in the .zip file which has already made inside the corporate network. What then can the web proxy filter do to it? help me out here. if the .zip file is not opened the installation will not happen. I think B is valid.
upvoted 3 times
kkarri
4 years, 8 months ago
he said "the URL included in .js", which means after the .rar is opened the .js is going to execute therefore the proxy filter comes into play
upvoted 1 times
...
...
cyber_now
5 years, 3 months ago
They should email employees because the email already sent and sitting in their inboxes...
upvoted 1 times
...
KC
5 years, 5 months ago
I take it back. D makes the most sense based on this article: https://community.sophos.com/kb/en-us/124699
upvoted 5 times
...
KC
5 years, 5 months ago
I don’t think it’s D. I think the most a web proxy filter will Do is prevent the randsomware from contacting command and control. But the randsomware could still encrypt the user’s data, even without internet access.
upvoted 3 times
...
khyle
5 years, 6 months ago
should be D
upvoted 5 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel