Your SOC detects ransomware activity on three workstations simultaneously. Walk me through your incident response plan, including your containment, investigation, and recovery strategy.

Sample answer preview

A ransomware incident affecting multiple workstations simultaneously is a critical-severity event that demands rapid, coordinated action. My response would follow a structured approach to minimize damage while preserving evidence for investigation.