Azure ransomware via Storage Account Blob deletion
Platform: Azure
Mappings
- MITRE ATT&CK
- Impact
Description
Simulates Azure Storage ransomware activity that empties a storage account through individual Blob deletion, then uploads a ransom note.
Warm-up:
- Create an Azure Storage Account, with versioning enabled
- Create Storage Containers in the Storage Account, each with a large number blobs with random content and extensions
Detonation:
- List all available storage containers and their blobs and their versions in the bucket
- Delete all blobs in each container one by one, using DeleteBlob
- List and delete all blobs again to delete any backups created by versioning
- Upload a ransom note to the storage account
Note: The attack does not need to disable versioning, which does not protect against ransomware. This attack removes all versions of the objects in the bucket.
References: Storm-0501’s evolving techniques lead to cloud-based ransomware Inside the attack chain: threat activity targeting Azure Blob Storage
Instructions
stratus detonate azure.impact.blob-ransomware-individual-file-deletion
Detection
You can detect ransomware activity by identifying abnormal patterns of blobs being downloaded or deleted in a storage account. In general, this can be done through Blob storage events. Blob storage events are resource logs, which require configuring diagnostic settings to enable.
Sample Blob storage event DeleteBlob, shortened for readability:
{
"operationName": "DeleteBlob",
"category": "StorageDelete",
"properties": {
"accountName":"my-storage-account",
"objectKey": "/my-storage-account/storage-container/somefolder/foo.bar"
},
"resourceId":"/subscriptions/ac382a89-52bf-4923-8abd-f1e4791cd48f/resourceGroups/my-resource-group/providers/Microsoft.Storage/storageAccounts/my-storage-account/blobServices/default"
}