Skip to content
Threat Feed
medium advisory

Mass Azure Compute Snapshot Deletion

The rule detects mass deletion of Azure disk snapshots, which could indicate an adversary attempting to inhibit system recovery capabilities, destroy backup evidence, or prepare for a ransomware attack.

This brief focuses on the detection of mass Azure compute snapshot deletions, a tactic used by threat actors to impede system recovery and potentially pave the way for ransomware attacks. The behavior is identified through Azure Activity Logs when a single user or service principal deletes multiple Azure disk snapshots within a short timeframe. The source research indicates that adversaries target snapshots to prevent victims from recovering data without paying ransom or to eliminate forensic evidence of their activities. Mass deletion of snapshots eliminates restore points, significantly impacting disaster recovery capabilities, and is a critical indicator of potentially malicious activity. The activity is detectable via Azure Activity Logs. This activity has been associated with groups like Storm-0501.

Attack Chain

  1. The attacker gains unauthorized access to an Azure account or compromises a user account with sufficient privileges.
  2. The attacker enumerates available Azure compute snapshots within the subscription.
  3. The attacker initiates a mass deletion of Azure disk snapshots using the compromised account, often targeting critical system backups.
  4. Azure Activity Logs record the snapshot deletion events, capturing details like the user, timestamp, and resource names.
  5. The attacker may attempt to disable or modify other backup mechanisms to further hinder recovery efforts.
  6. With snapshots deleted, the attacker proceeds with data encryption for ransomware attacks or other malicious activities.
  7. The victim is left without readily available restore points, increasing the likelihood of paying a ransom or experiencing significant data loss.

Impact

Successful mass deletion of Azure compute snapshots can have severe consequences. Organizations may lose critical restore points, making data recovery difficult or impossible without paying a ransom. This can lead to significant downtime, financial losses, and reputational damage. Affected sectors include any organization relying on Azure for compute and storage services. The number of victims depends on the scope of the attack, but even a single successful incident can have a major impact.

Recommendation

  • Deploy the Sigma rule Azure Compute Snapshot Deletions by User to your SIEM to detect suspicious snapshot deletion activity (rule).
  • Investigate any alerts generated by the rule, focusing on the user or service principal involved and the number of snapshots deleted (rule).
  • Implement Azure Resource Locks on critical snapshots to prevent accidental or malicious deletion (reference).
  • Configure Azure Policy to restrict snapshot deletion permissions to only authorized backup administrators (reference).
  • Enable Azure Activity Log alerts and configure notifications to security teams immediately when snapshots are deleted (reference).
  • Review and enhance backup strategies to ensure redundant backup mechanisms exist beyond Azure snapshots, including geo-redundant backups and offline copies (reference).

Detection coverage 2

Azure Compute Snapshot Deletions by User

medium

Detects when a single user or service principal deletes multiple Azure compute snapshots within a short time period, potentially indicating malicious activity such as ransomware preparation or data destruction.

sigma tactics: impact techniques: T1485, T1490 sources: cloudtrail, azure, activitylog

Azure Compute Snapshot Deletion via Unusual User Agent

medium

Detects Azure compute snapshot deletions performed by unusual user agents, potentially indicating automated tools or malicious scripts.

sigma tactics: impact techniques: T1485, T1490 sources: cloudtrail, azure, activitylog

Detection queries are available on the platform. Get full rules →