Azure Storage ransomware pattern - protection disabled followed by mass deletion

azure

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

Goal

Detect a ransomware pattern where Azure Storage data protection mechanisms are disabled followed by deletion of storage resources.

Strategy

This rule uses sequence detection to correlate two stages of a potential ransomware attack against Azure Storage. The first stage identifies the disabling of data protection mechanisms, tracked by signals from the Azure Storage data protection settings disabled rule (def-000-i2h) or the Azure resource lock deleted rule (def-000-0b3). The second stage detects mass destructive operations including storage account deletion, container deletion, or blob deletion. The rule triggers when both stages occur from the same IP address, a hallmark of cloud ransomware operations designed to maximize damage and prevent recovery.

Triage and response

  • Identify the source IP address {{@network.client.ip}} and user(s) that conducted the actions, and determine if they are an authorized user or service principal.
  • Review the protection mechanisms that were disabled in the first stage and assess whether those changes were authorized.
  • Determine the criticality of the impacted storage accounts, containers, and blobs.