Ransomware hits healthcare - Backup deletion

Hunt Hypothesis

Adversaries are deleting backup files in healthcare environments to prevent data recovery and disrupt operations. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate ransomware attacks before they cause irreversible damage.

KQL Query

AlertInfo
| where Timestamp > ago(7d) 
| where Title == "File backups were deleted" 
| join AlertEvidence on AlertId

Analytic Rule Definition

id: b0188e2d-734d-4d54-8e70-c4157a195bb1
name: Ransomware hits healthcare - Backup deletion
description: |
  List alerts flagging attempts to delete backup files.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - AlertInfo
  - AlertEvidence
query: |
  AlertInfo
  | where Timestamp > ago(7d) 
  | where Title == "File backups were deleted" 
  | join AlertEvidence on AlertId

Required Data Sources

Sentinel Table	Notes
`AlertEvidence`	Ensure this data connector is enabled

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/Ransomware hits healthcare - Backup deletion.yaml)

False Positive Guidance

Scenario: Scheduled Backup Job Deletion
Description: A legitimate scheduled job runs to delete old backup files to free up storage space.
Filter/Exclusion: Check for process.name containing “backup” or “vss” and filter by process.command_line containing --delete or --purge. Exclude processes with user.name matching the backup service account.
Scenario: System Maintenance Task
Description: An admin task is executed to clean up temporary files or old logs, which may include backup-related files.
Filter/Exclusion: Filter by process.name like “cleanmgr.exe” or “del” and check for process.args containing “temp” or “log”. Exclude processes with user.name matching the system admin or service account.
Scenario: Antivirus Quarantine Removal
Description: Antivirus software quarantines malicious files and later removes them from the quarantine, which may include backup files.
Filter/Exclusion: Filter by process.name like “Windows Defender” or “Malwarebytes” and check for process.args containing “quarantine” or “remove”. Exclude processes with user.name matching the security service account.
Scenario: Database Maintenance and Log Rotation
Description: A database administrator performs log rotation or maintenance, which may involve deleting old backup logs.
Filter/Exclusion: Filter by process.name like “sqlservr.exe” or “mysqld” and check for process.args containing “logrotate” or “backup_cleanup”. Exclude processes with user.name matching the DBA account.
Scenario: User-Initiated File Cleanup
Description: A user manually deletes old backup files from their local machine or network share.
Filter/Exclusion: Filter by process.name