Triggers: Microsoft Defender for Servers alert, unexpected large-scale file modification, users reporting inaccessible files/encrypted drives.
Initial Triage: Determine which workloads/VMs are affected. Do not reboot the affected machines (preserves volatile memory for forensics).
2. Containment
Isolate Infected Machines:
Move affected VMs to an isolated Virtual Network (VNet) or apply strict Network Security Group (NSG) rules blocking all outbound and inbound traffic except to forensic endpoints.
Using Defender for Endpoint, use the "Isolate Device" action.
Prevent Spread:
Suspend shared storage access (e.g., Azure Files SMB shares) connected to the infected machines.
Rotate any service principal credentials or managed identities associated with the compromised workloads to prevent lateral movement.
3. Eradication & Investigation
Scan isolated machines using Defender for Servers to identify the ransomware payload.
Collect forensic snapshots of the VM disks (do not attach these to production systems).
Review AzureActivity and network flow logs (NSG flow logs) to determine the entry point (e.g., exposed RDP/SSH, vulnerability exploit).
4. Recovery
Verify Backup Integrity:
Ensure the latest backup points in Recovery Services Vault / Backup Vault are unaffected by the ransomware. Check for WORM (Write Once Read Many) immutability locks (F6 / L-series).
Restore Workloads:
Restore the VMs or databases from the last known good backup to a clean, isolated staging environment.
Verify the integrity of the restored data.
Cut over to the restored workloads.
Re-enable Access:
Re-attach storage shares and remove the quarantine NSG rules from the clean, restored resources.
5. Lessons Learned
Patch the vulnerability that allowed entry.
Ensure endpoint protection agents are active and reporting on all resources.