Azure Blob Storage ransomware through Customer-Provided Encryption Keys

Platform: Azure

Mappings

• MITRE ATT&CK
  • Impact

Description

Simulates Azure Blob Storage ransomware activity that encrypts files using Customer-Provided Encryption Keys (CPK). This is the Azure equivalent of the AWS SSE-C ransomware technique. The attacker downloads existing blobs and re-uploads them encrypted with a customer-provided AES-256 key that only they possess. Without the key, the blobs cannot be read.

Warm-up:

• Create an Azure Storage Account
• Create multiple storage containers in the account
• Create a number of blobs in the containers with random content and file extensions

Detonation:

• Download all blobs
• Re-upload each blob encrypted with a customer-provided AES-256 key
• Upload a ransom note

References:

• https://learn.microsoft.com/en-us/azure/storage/blobs/encryption-customer-provided-keys

Instructions

Detonate with Stratus Red Team

stratus detonate azure.impact.blob-ransomware-cpek

Detection

You can detect this ransomware activity by monitoring for high volumes of GetBlob followed by PutBlob operations, especially when PutBlob requests include customer-provided encryption key headers (x-ms-encryption-algorithm: AES256).

In Azure Storage diagnostic logs, look for:

1. Unusual volume of read (GetBlob) followed by write (PutBlob) operations on the same blobs.
2. PutBlob operations with the x-ms-encryption-algorithm request header set to AES256, indicating customer-provided key usage.

Sample Azure Storage diagnostic log event for a PutBlob with customer-provided key:

{
  "time": "2024-01-01T00:00:00.0000000Z",
  "operationName": "PutBlob",
  "category": "StorageWrite",
  "statusCode": 201,
  "properties": {
    "accountName": "<storage-account-name>",
    "userAgentHeader": "azsdk-go-azblob/v1.6.3",
    "serviceType": "blob"
  }
}