Describe a basic ransomware lifecycle from initial access to recovery options.

• A. Initial access, encryption of files, ransom note, demand for payment, and recovery/restore from backups or decryption if available.
• B. Opening a backdoor, stealing data, selling it, then deleting traces.
• C. Installing antivirus, contacting victims, then exposing vulnerability.
• D. Only encrypting a single file and immediately paying ransom.

Answer: (A)

Ransomware attacks follow a simple sequence: how the attacker gets in, what they do to the data, how they demand payment, and what happens for recovery. The initial access stage is about gaining entry into the environment, often through phishing, stolen or weak credentials, or exploiting exposed services. Once inside, the malicious software typically encrypts many files across the network to maximize impact, making data unusable to pressure the victim. After encryption, a ransom note or message is left with instructions on how to pay and how to obtain decryption keys. The final part centers on recovery options, which usually means restoring from clean backups or using a decryption tool if one is available or provided.

This option best captures the full lifecycle—from getting in, to locking data, to demanding payment, to how victims recover. The other scenarios don’t fit the ransomware pattern: one describes a data theft/extortion path without encryption or a ransom process; another describes defensive actions or a non-ransomware workflow; and the last describes an overly simplistic, unrealistic sequence that omits the core steps of encryption and a formal recovery path.