Code Room
On-callHardoc-g148
Subject RansomwareLevel Senior–Staff~50 minCommon in Reliability & on-call interviewsIndustries Technology, Software development

Question

A threat actor emails your CEO claiming to have exfiltrated 1.2TB of customer data and will publish it in 72 hours unless paid; they attach a sample of real customer records as proof. No systems are encrypted yet and operations look normal. Investigation finds an internet-exposed RDP jump host with a weak password that has successful logins from a foreign IP over the past three weeks, and your cloud storage logs show a large outbound transfer from a backup bucket 9 days ago. How do you triage, contain, and remediate a double-extortion (exfil-only, pre-encryption) scenario?

What a strong answer looks like

Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.

Diagram & narrate the incident
Loading whiteboard…
Run or narrate your approach, then ask the coach.