Unexpected Azure API calls indicating restore point collection deletion
Description
AlphaSOC detected deletion of an Azure Compute restore point collection via
Microsoft.Compute/restorePointCollections/delete. Restore point collections
contain recovery points for virtual machines, enabling point-in-time
restoration.
Deleting restore point collections is a technique used by ransomware operators to prevent recovery without paying ransom. By eliminating backup and recovery options, attackers maximize the impact of destructive attacks.
Impact
Deletion of restore point collections eliminates the ability to recover virtual machines to previous states. This is particularly devastating in ransomware scenarios where VMs are encrypted and recovery options are systematically destroyed. Organizations may face extended downtime and data loss.
Severity
| Severity | Condition |
|---|---|
Low | Unexpected action or ASN |
Medium | Two unexpected properties at the same time |
Investigation and Remediation
Review Azure Activity logs to identify who deleted the restore point collection and which VMs were affected. Check for other backup deletions or destructive activities that may indicate a ransomware attack in progress.
If unauthorized, immediately investigate for signs of ransomware or destructive malware. Protect remaining backups by restricting access. Check if Azure Backup vaults or other recovery options remain available. Implement RBAC policies to restrict restore point deletion and consider enabling resource locks on critical recovery resources.
Known False Positives
- Planned cleanup of old restore points
- VM decommissioning activities
- Storage cost optimization