Azure Storage Ransomware Protection

What can you do to protect yourself?

It is important to take preventative measures to protect your company from ransomware attacks.

Your on-premises exposure can be reduced by migrating your company to a cloud service. Microsoft invested in security tools that make Microsoft Azure more resilient to ransomware attacks. This also helps organizations overcome ransomware attack methods. The Human Operated Ransomware Mitigation Project Plan PowerPoint presentation provides a complete overview of ransomware, extortion, and how to protect your company.

It is normal to assume that you will be the victim of a ransomware attack at some point. You can protect your data by having a backup plan and a restore plan. Ransomware attackers have spent a lot of money on neutralizing backup apps and operating system features such as volume shadow copy. It is crucial to have backups that are not accessible to malicious attackers.

Azure Backup

Azure backup offers security for your backup environment while data is in transit or at rest. Azure Backup allows to back up.

  • Files, folders, system state, and other information on-premises
  • Entire Windows/Linux VMs
  • Azure Managed Disks
  • Azure file shares to storage accounts
  • SQL Server databases running on Azure VMs

Azure storage stores the backup data and guests or attackers have no access to it. Azure fabric creates and stores backup snapshots for virtual machines. The guest or attacker only has to assist with the workload for consistent backups. The backup extension can temporarily access specific blobs with SQL and SAP HANA. This ensures that existing backups are not altered or deleted even in compromised environments.

Azure Backup has built-in alerting and monitoring capabilities that allow you to see and set up actions for Azure Backup events. Backup Reports are a single-stop solution for monitoring usage, auditing backups and restoring them, and identifying key trends at various levels of granularity. Azure Backup’s monitoring tools and reporting tools will alert you immediately to suspicious or malicious activity.

To ensure that only authorized users can perform certain operations, checks have been implemented. This includes adding a layer of authentication. To add a layer of security to critical operations, you will be asked to enter a security pin before editing online backups.

Find out more about the security options that are built into Azure Backup.

Validate backups

Before you restore, verify that your backup has been created. A Recovery Services vault is a storage unit in Azure that stores data. The data includes copies of data or configuration information for virtual machines, workloads, servers, or workstations. Recovery Services vaults can be used to store backup data for different Azure services, such as IaaS (Linux/Windows) and Azure SQL databases. Recovery Services vaults allow you to easily organize your backup data and offer features such as:

  • You can now secure your backups and recover data even if the production or backup servers are compromised. Learn more.
  • A central portal allows you to monitor your hybrid IT environment (Azure PaaS VMs, on-premises assets), from one place. Learn more.
  • Compatibility with Azure role-based access control (Azure RBAC), which restricts backup/restore access to a set of user roles. Azure RBAC has many roles. Azure Backup comes with three roles that can be used to manage recovery points. Learn more.
  • Soft delete protection is available even if an attacker deletes a backup or accidentally deletes backup data. The backup data is kept for an additional 14 days to allow the recovery of any backup item without data loss. Learn more.
  • Cross-Region Restore allows you to restore Azure virtual machines in another region. This is called an Azure paired area. The secondary region can be restored at any time. This allows you to restore secondary region data during audit compliance and outage situations without having to wait for Azure to declare disaster (unlike GRS settings for the vault). Learn more.


Azure Backup offers two types of vaults. There are two types of vaults in Azure Backup. One is the Recovery Services vaults. The other is the Backup vaults which house data for newer workloads that Azure Backup supports.

How to prepare for an attack

As we have said, ransomware attacks can happen at any time. You can quickly get back on track by identifying your most critical business systems and following best practices before an attack.

Decide what is most important for you

Ransomware attacks can occur while you’re planning for one. Your priority should be to identify and start performing backups of the most critical business systems.

According to our experience, these are the five most important customer applications.

  • Identity systems – Required for users to access any system (including all those described below), such as Active Directory and Azure ADConnect, AD domain controllers.
  • Human life is any system that protects or puts at risk human life, such as safety systems (ambulances, dispatch systems, and traffic light control), medical or life support systems or safety systems (ambulances, dispatch systems, traffic lights control), large machinery, chemical/biological equipment, food production or personal products, etc.
  • Financial systems – Systems that process monetary transactions, keep the business running and include payment systems, related databases, and financial systems for quarterly reporting
  • Product or service enablement: Any system that is required to deliver the services your customers have paid you for or produce/deliver products. Factory control systems, product delivery/dispatch, and similar systems are all examples.
  • Security (minimum security) – It is important to prioritize security systems that can be used to detect attacks and provide minimal security services. You should ensure that current or easy opportunistic attacks are not able to gain access to your restored systems.

Your prioritized backup list becomes your prioritized restoration list. After you have identified your critical systems and performed regular backups, take steps to reduce exposure.

Before an attack, steps to take

These are the best practices to follow before you launch an attack.

Task Detail
You should first identify the most important systems you want to bring back online (using the top five categories). Then, immediately start performing regular backups of these systems. You can get back on the road as soon as possible following an attack by determining what is most important.
Move your company to the cloud.

To help you move to the cloud, consider purchasing a Microsoft Unified Support Plan or working with a Microsoft Partner.

Move your data to cloud services and reduce on-premises exposure. Microsoft Azure offers a wide range of tools that will help you back up your business-critical systems faster and restore backups quicker.

Microsoft Unified Support provides cloud services support that can be accessed whenever you need it. Unified Support

This team is available to assist with critical incidents escalating and problem resolution 24×7

Monitors the health of your IT environment. Prevents problems from happening.

To take advantage of versioning, and recycle bin capabilities, move user data to cloud solutions such as OneDrive or SharePoint.

To reduce the time and costs of recovering files, educate users. If a user’s OneDrive files are infected with malware, they can recover their entire OneDrive.

Before users can restore their files, consider a defense strategy such as Microsoft 365 Defender.

Microsoft cloud users can be protected with built-in security features and data management tools.

While it’s great to show users how to recover their files, you must be sure that they don’t restore any malware used in the attack. It is important to:

Make sure your users do not restore their files until you’re certain that the attacker has been removed

In case the user decides to restore malware, make sure you have a mitigation plan.

Microsoft 365 Defender uses AI to automate remediation and playbooks to restore impacted assets to a secure condition. Microsoft 365 Defender uses the suite’s automatic remediation capabilities to automatically resolve any incident-related assets.

Implement Azure Security Benchmark. Azure Security Benchmark is Azure’s security control framework. It is based on industry-based security controls frameworks like NIST SP800-553 and CIS Controls v7.1. It gives organizations guidance on how to set up Azure services and security controls. See Recovery.
Your business continuity/disaster relief (BC/DR), the plan should be followed.

Simulate incident response scenarios. You should plan and conduct exercises to prepare for an attack around your backup and restore priorities.

To ensure that your BC/DR can quickly bring critical business operations online, you should regularly test the ‘Recover From Zero’ scenario (all systems down).

It ensures rapid business recovery by treating ransomware and extortion attacks with the same importance that a natural catastrophe.

To validate cross-team processes, technical procedures, and out-of-band employee and customer communications (assume that all email and chat are down), conduct practice exercise(s).

To identify possible risks and to plan how you will mitigate them through preventative actions and controls, create a risk registry. Ransomware is a high-impact and likely scenario that can be added to the risk register. You can use a risk register to help you prioritize risks. It will allow you to determine the likelihood of the risk occurring and how severe it would be for your business.

Track mitigation status via Enterprise Ris