Unexpected Azure API calls indicating Backup Vault deletion
Description
AlphaSOC detected deletion of an Azure Backup vault. Backup vaults store backup data and recovery points for Azure resources. Deleting backup vaults is a common tactic used by ransomware operators to prevent victims from restoring data without paying the ransom.
Impact
Deleting backup vaults eliminates the ability to restore data from backups, potentially causing permanent data loss. This is particularly severe in ransomware scenarios where backups are the primary recovery mechanism. Loss of backup infrastructure can result in extended downtime and significant recovery costs.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review Azure Activity logs for the
Microsoft.DataProtection/BackupVaults/delete action. Identify the deleted
vault and the principal responsible. Assess what backup data and recovery points
were lost.
If unauthorized, immediately investigate for signs of ransomware or other destructive attacks. Check for soft-deleted backups that may be recoverable. Rotate credentials for the compromised identity and implement RBAC policies to restrict backup vault deletion. Consider enabling soft delete and immutable vaults for critical backups.
Known False Positives
- Planned decommissioning of backup infrastructure
- Migration to new backup solutions
- Cleanup of test environments