Imagine discovering your critical business data is being held hostage by cybercriminals, demanding millions in ransom. According to IDC, 51% of ransomware attacks in 2023 attempted to destroy backups with 60% of these attempts succeeding. A concerning statistic. How to prevent it? One cloud feature is Azure’s Soft Delete.
While Azure Soft Delete offers basic protection, today’s sophisticated ransomware attacks demand a more comprehensive defense strategy. Let’s explore how to build an unbreakable shield around your Azure backups, starting with understanding what Soft Delete can – and cannot – do for you.
Understanding Azure Soft Delete
Azure Soft Delete is backup’s safety net. When enabled (and it’s on by default for new Recovery Services vaults), Soft Delete keeps your deleted backup data in a “recently deleted” state for 14 to 180 days. During this time, you can “undelete” the data even if someone or something tries to delete it. It’s Azure’s way of saying “Hold up! Let’s not be hasty with those deletions!”
You cannot force-delete soft-deleted items before the retention period expires. They are automatically deleted after the retention period. This is a security feature specifically designed to protect backed-up data from accidental or malicious deletes. You must wait for the retention period to end before any other action can be taken on the item.
Here’s what’s happening behind the scenes:
- Enable Soft Delete for free (for a 14 day time period) or charged extra for longer timeframes
- When you “delete” a backup, it’s not actually deleted – it’s moved to a soft-deleted state
- The data stays there for 14 days (and you can extend this up to 180 days if needed)
- During this period, you can restore the data to its original location
- After the retention period, the data is permanently deleted
The Problem with Just Soft Delete
While Soft Delete is great at what it does, relying on it alone is like bringing a knife to a gunfight. Modern ransomware attacks are sophisticated and often target backup systems alongside primary data – typically by attempting to delete backup files or by compromising backup admin credentials. Some variants specifically search for and disable backup software processes before beginning their encryption routines. Plus, if an attacker gains admin access to your Azure subscription, they could potentially disable Soft Delete entirely (if you don’t have “Enable Always-on Soft Delete” enabled).
Building a Multi-Layered Defense
Let’s build a defense strategy that would make Fort Knox jealous. Here’s how we’re going to approach this:
1. Implement Cross-Cloud Backup Protection
First things first – don’t keep all your backup eggs in one Azure basket. The recent CrowdStrike incident in July 2024 showed us exactly why: when organizations rely on a single vendor for both their primary operations and backup protection, they’re especially vulnerable when that vendor experiences issues. By diversifying your backup strategy across multiple cloud providers, you create an extra layer of protection.
Here’s a practical example of a cross-cloud backup setup:
- Primary Environment: Azure VMs running in East US region
- Primary Backup: Local Azure Recovery Services vault with hourly snapshots
- Cross-Cloud Protection: N2W policy copying snapshots to an AWS S3 bucket in us-west-2
- Air Gap: AWS account uses separate credentials and MFA, with no shared access to Azure
- Recovery Options: Ability to restore Azure VM volumes directly to EC2 instances if needed
💡Pro Tip: While Azure requires manual configuration for cross-region replication, N2W provides built-in cross-cloud capabilities. You can automatically replicate your Azure backups to AWS or other cloud providers, providing true air-gapped protection against ransomware that might compromise your Azure environment.
2. Implement Immutable Backups
Your second line of defense should be implementing immutable backups – backups that can’t be modified or deleted, even by administrators. If you’re on Azure, Azure Backup’s “Immutable vault” functionality protects backup data by blocking operations that could lead to loss of recovery points. This can be enhanced by locking the Immutable vault setting to make it irreversible and using WORM (Write Once, Read Many) storage, preventing malicious actors from disabling immutability or deleting backups. A handy feature indeed.
For immutable backups to be effective, you need to consider:
- Lock duration settings that balance protection with operational flexibility
- Separate administrative access for immutability controls
- Impact on your backup retention and storage costs
- Recovery procedures when using immutable backups
💡Pro Tip: N2W simplifies immutable backup management with built-in compliance lock features that work across both Azure and AWS environments. You can enable immutability with a single click, and N2W automatically manages the locking and unlocking process during scheduled cleanups, all while maintaining a complete audit trail.
3. Automate Security Testing and Monitoring
Don’t wait for an attack to test your defenses. Azure provides several built-in tools to help monitor backup health and spot potential ransomware activity:
- Azure Backup Reports – Use Log Analytics workspaces to track:
- Sudden changes in backup sizes
- Unexpected increases in change rates
- Pattern changes in backup completion times
- Multiple failed backup attempts in short succession
- Azure Monitor Alerts – Watch for suspicious patterns:
- Mass deletion attempts of recovery points
- Changes to backup policies during non-business hours
- Multiple password reset attempts for backup service accounts
- Modifications to vault access policies
- Azure Activity Logs – Key events to monitor:
- Changes to Soft Delete settings
- Modifications to vault access policies
- Updates to backup retention policies
- Attempts to disable security features
💡Pro Tip: N2W Recovery Scenarios go beyond basic monitoring by automating complete disaster recovery drills. You can test full recovery procedures, validate data integrity, and simulate ransomware recovery scenarios – all without impacting your production environment. Plus, N2W provides detailed reporting on recovery time objectives (RTOs) and maintains a full audit trail of all recovery tests.
4. Implement Granular Recovery Options
When ransomware strikes, you might not need to restore everything. However, Azure’s approach to granular file recovery has some significant limitations:
Azure’s Current Process and Limitations:
- Needs a temporary VM to host the recovery volume
- Takes 15-20 minutes just to mount the recovery volume
- Requires enough storage space for the full VM backup
- Limited to recovering files from one backup at a time
- Must repeat the mount process to access different recovery points
- Restricted to recovering 10 GB or less of data
- Slow data transfer speeds of approximately 1 GB per hour
- Maximum of 20 restore attempts per VM in a 24-hour period
This process can be particularly challenging when:
- You need to quickly restore a handful of critical files
- You’re unsure which backup contains the clean version of your files
- You need to compare files across multiple backup points
- Storage costs are a concern during recovery operations
💡Pro Tip: N2W dramatically simplifies this process with true file-level recovery:
- Browse files directly from backups without mounting volumes
- Compare files across multiple backup generations simultaneously
- Preview file contents before restoration
- Restore specific files and folders to any location
- No need for temporary VMs or additional storage
- Recovery typically complete in minutes rather than hours
5. Monitor Specific Backup Warning Signs
Early detection is your best defense against ransomware attacks. While many organizations focus on prevention, monitoring backup behavior patterns can provide crucial early warning signs that an attack is in progress. By understanding and tracking specific backup metrics and behaviors, you can spot potential ransomware activity before it causes catastrophic damage. Here’s what you need to watch for:
Backup Job Patterns:
- Multiple failed backups across different VMs within a short timeframe (potential widespread encryption)
- Sudden increases in backup size (>40% change from baseline could indicate encrypted files)
- Unexpected changes in backup duration (encryption often increases backup time)
- Unusual backup times outside scheduled windows
Data Change Patterns:
- High change rates across multiple VMs simultaneously (>70% changed files)
- Modifications to file extensions across large numbers of files
- Repeated failed consistency checks during backup
- Unusual spikes in write operations before backup jobs
Administrative Activities:
- Attempts to disable or modify Soft Delete settings
- Changes to backup retention periods during non-business hours
- Multiple recovery point deletions in rapid succession
- Modifications to backup access policies from unfamiliar IP addresses
💡Pro Tip: N2W provides dedicated ransomware detection that monitors these patterns automatically and adds cross-cloud correlation. For example, if suspicious activity is detected in Azure, N2W can automatically trigger additional backups and enable stricter immutability settings on your AWS backup copies.
Using N2W for True Ransomware-Proof Protection on Azure
As ransomware attacks evolve, your defense strategy should be fortified and layered. Here are a few ways N2W enables
Immutability
True immutability means backups are locked on the storage and cloud-native API level, not just a switch on your SaaS backup and disaster solution. Azure immutability using N2W prevents data changes during the chosen retention period which is not only unbreachable, but helps meet many current and upcoming compliance requirements.
Cross-cloud data protection
N2W enables cross-cloud backup and recovery between AWS, Azure and Wasabi for not only maximum security through air-gapped backup copies, but offering significant cost-savings. Backups are highly secure and is a step up from being in a separate account or region. It protects against vendor lock-in by keeping them in a completely isolated cloud. This is great for not only budget demands (utilizing Azure Blob or Wasabi S3 affordable storage, but aligns with increasing compliance demands.
Automated recovery testing
At N2W, our mission is to help IT teams prepare for the worst—quickly, easily, and with confidence. Our platform offers fully automated disaster recovery testing that takes the complexity out of the process. You can prioritize resources, generate detailed audit logs, and restore not just critical workloads but also network configurations and security settings. This focus on speed and simplicity has become a cornerstone of how our customers protect themselves against ransomware.
Remember, the goal isn’t just to have backups – it’s to have recoverable backups when you need them most!
Try N2W free for 30 days and experience enterprise-grade backup protection with cross-cloud capabilities, granular recovery options, and automated security testing.
