During incident response, a security analyst discovers that ransomware has encrypted critical files across multiple departments. The attacker is demanding payment within 24 hours. What is the FIRST action the analyst should take?

Correct answer: Isolate affected systems from the network immediately

Option D is correct because the very first action during a ransomware incident is containment, specifically isolating affected systems from the network to prevent the ransomware from spreading laterally to additional hosts and shared resources. Option A is incorrect because negotiating with the attacker is not a security response priority and should never be the first technical action; it may occur later as a business decision but containment comes first. Option B is incorrect because paying the ransom does not guarantee file recovery, encourages further attacks, and ignores the immediate need to stop ongoing encryption or lateral movement. Option C is incorrect because restoring from backup before investigating and containing the threat risks reinfecting the restored systems if the ransomware is still active on the network.