Code Room
On-callHardoc-g137
Subject RansomwareLevel Senior–Staff~50 minCommon in Reliability & on-call interviewsIndustries Technology, Software development

Question

At 03:40 monitoring pages on-call: dozens of internal file shares and three Windows app servers show CPU pegged and disk I/O saturated, and users report files renamed with a '.locked' extension plus a ransom note dropped in every directory. EDR shows a process spawning from a recently-patched VPN appliance host, then SMB connections fanning out to other hosts using a domain admin credential. Backups run nightly to a network share mounted on the same domain. How do you triage, contain, and remediate an active ransomware outbreak?

What a strong answer looks like

Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.

Diagram & narrate the incident
Loading whiteboard…
Run or narrate your approach, then ask the coach.