We help IT Professionals succeed at work.

Are Azure Cloud Backups Protected from Ransomeware?

cja-tech-guy
cja-tech-guy asked
on
We use Azure Cloud backup to backup our in house servers.  If we were hit by ransomware and server files were encrypted, would it affect our backups that are stored in Azure?   I'm thinking the backups are protected and we should be able to restore from them.  Any ideas on this?

Thanks,
cja
Comment
Watch Question

Most Valuable Expert 2013

Commented:
Yes, provided there is some form of authentication to control access (that isn't cached on an infected machine!)
https://www.cybersecurity-insiders.com/microsoft-azure-backups-are-now-ransomware-protected/

Azure provide a password/PIN system which on-premise ransomware won't know but it's likely to be accessed by a sysadmin and they need to ensure that neither their priviledges or access PIN can be used.  Otherwise just as locally anything the infected machine has R/W access to can be encrypted.
Adam BrownSenior Systems Admin
Top Expert 2010

Commented:

Cloud backup isn't accessible through the file system of the server, so ransomware wouldn't be able to see it. Unless, of course, you mount the Azure Cloud Backup storage directly to the server. Don't ever do that. At any rate, Azure Cloud Backup storage is only connected during the backup, and is only connected through the Windows Server Backup client. There isn't currently a ransomware variant that can access data through that. 

That said, if a ransomware attack happens and then the backup runs (Usually doesn't happen, since the ransomware attack will usually break the software), that backup will be about as large as a full backup and it will be unusable. The end result can be a big hit to your bill for cloud backup storage (temporary, as long as you clear that particular backup). 

Author

Commented:
Adam

So, "since the ransomware attack will usually break the software), that backup will be about as large as a full backup and it will be unusable" would my other Azure backups still be usable?  Would I be able to restore files from a backup that was taken before the ransomware happened?

Thanks,
cja

Author

Commented:
Adam
One more thing. I access Azure using the Azure Recovery Services Agent.  Does that matter?

Thanks,
cja
Exec Consultant
Distinguished Expert 2019
Commented:

Even for MARS agent to take certain action, it will be prompted to enter a PIN 


  • Your data will be retained by the recovery services vault for 14 days after you delete it. This means that even if some ransomware manages to delete your backups, you can still restore your data.
  • You require a PIN to be entered to perform certain actions. For example, if I attempt to stop a scheduled backup and delete all the data from a MARS agent, I will be prompted to enter the PIN.
  • You will be alerted in the event of a backup schedule being stopped or backup data being deleted. You’ll know that an attack is underway if no human initiated this action.
  • Maybe you need to go further back in time to before the infection. This feature ensures that you can restore from more than just 1 recovery point.


https://azure.microsoft.com/en-us/blog/azure-backup-security-feature/

https://www.infochola.com/blog/what-is-the-role-of-azure-backup-in-ransomware-protection-and-recovery

Author

Commented:
btan

When you refer to a "pin" to perform certain actions in Azure, are you referring tot eh "passphrase" that was created when I first set up Azure backup?

Thanks,
cja
btanExec Consultant
Distinguished Expert 2019

Commented:

No, it is a separate thing which is generated from Azure portal. E.g. 

To receive this PIN:

  1. Sign in to the Azure portal.
  2. Browse to Recovery Services vault > Settings > Properties.
  3. Under Security PIN, click Generate. This opens a blade that contains the PIN to be entered in the Azure Recovery Services agent user interface. This PIN is valid for only five minutes, and it gets generated automatically after that period.

https://docs.microsoft.com/en-gb/azure/backup/backup-azure-security-feature


Author

Commented:
btan

 So whenever I need to perform those certain actions like stop/delete backups, I have to go in to the Azure Portal and generate the PIN and then enter it as needed?  It is not a one-time PIN that is used all the time.  Is that correct?

Thanks,
cja
btanExec Consultant
Distinguished Expert 2019

Commented:

Yes like one time and it expired too

Author

Commented:
Thanks for your help.