Code Room
On-callHardoc-g362
Subject RansomwareLevel Senior–Staff~45 minCommon in Reliability & on-call interviewsIndustries Software development, IT services, Technology

Question

A **canary/honeyfile** on a file server is read and modified at 02:50 — an alert you've never seen fire before. EDR then shows a signed-but-uncommon binary staged in `C:\ProgramData` on 14 hosts and a scheduled task created on each to run it at 06:00. Nothing is encrypted yet; users are asleep; ops looks normal. Threat intel matches the staging pattern to a ransomware affiliate that detonates fleet-wide on a timer. You have ~3 hours before the scheduled tasks fire. How do you triage, contain before detonation, and avoid tipping off an attacker who may still be watching?

What a strong answer looks like

Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.

Diagram & narrate the incident
Loading whiteboard…
Run or narrate your approach, then ask the coach.