Code Room
On-callHardoc-g361
Subject RansomwareLevel Senior–Staff~45 minCommon in Reliability & on-call interviewsIndustries Software development, IT services, Technology

Question

At 04:00 a storage alert fires: your **backup repository** share's used-capacity is climbing fast and dedup ratio cratering. On inspection the backup files are being rewritten with high-entropy data and renamed — your *backups* are being encrypted. Production app servers look fine (no `.locked` files, normal load) and last night's restore-test passed. The backup service account had broad write access to the repo and was reused across jobs. EDR shows the activity originating from the backup orchestrator host. How do you triage, contain, and figure out whether you can still recover — given the thing being attacked is your recovery path?

What a strong answer looks like

Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.

Diagram & narrate the incident
Loading whiteboard…
Run or narrate your approach, then ask the coach.