Azure Storage ransomware pattern - protection disabled followed by mass deletion
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detect a ransomware pattern where Azure Storage data protection mechanisms are disabled followed by deletion of storage resources.
Strategy
This rule uses sequence detection to correlate two stages of a potential ransomware attack against Azure Storage. The first stage identifies the disabling of data protection mechanisms, tracked by signals from the Azure Storage data protection settings disabled rule (def-000-i2h) or the Azure resource lock deleted rule (def-000-0b3). The second stage detects mass destructive operations including storage account deletion, container deletion, or blob deletion. The rule triggers when both stages occur from the same IP address, a hallmark of cloud ransomware operations designed to maximize damage and prevent recovery.
Triage and response
- Identify the source IP address
{{@network.client.ip}} and user(s) that conducted the actions, and determine if they are an authorized user or service principal. - Review the protection mechanisms that were disabled in the first stage and assess whether those changes were authorized.
- Determine the criticality of the impacted storage accounts, containers, and blobs.
