---
title: >-
  Azure Storage ransomware pattern - protection disabled followed by mass
  deletion
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Azure Storage ransomware pattern -
  protection disabled followed by mass deletion
---

# Azure Storage ransomware pattern - protection disabled followed by mass deletion
Classification:attackTactic:[TA0005-defense-evasion](https://attack.mitre.org/tactics/TA0005)Technique:[T1562-impair-defenses](https://attack.mitre.org/techniques/T1562) 
## Goal{% #goal %}

Detect a ransomware pattern where Azure Storage data protection mechanisms are disabled followed by deletion of storage resources.

## Strategy{% #strategy %}

This rule uses sequence detection to correlate two stages of a potential ransomware attack against Azure Storage. The first stage identifies the disabling of data protection mechanisms, tracked by signals from the `Azure Storage data protection settings disabled` rule (`def-000-i2h`) or the `Azure resource lock deleted` rule (`def-000-0b3`). The second stage detects mass destructive operations including storage account deletion, container deletion, or blob deletion. The rule triggers when both stages occur from the same IP address, a hallmark of cloud ransomware operations designed to maximize damage and prevent recovery.

## Triage and response{% #triage-and-response %}

- Identify the source IP address `{{@network.client.ip}}` and user(s) that conducted the actions, and determine if they are an authorized user or service principal.
- Review the protection mechanisms that were disabled in the first stage and assess whether those changes were authorized.
- Determine the criticality of the impacted storage accounts, containers, and blobs.