Assistance Required for Ransomware Infection on Azure Windows Virtual Machine

Audit 0 Reputation points
2025-01-28T05:38:08.28+00:00

I think my Azure Windows Virtual Machine has been infected with ransomware. The following issues are observed:

  • IIS and SQL services have stopped and cannot be restarted (error code: -2146893818).
  • All files on the C drive have been converted to .wex format.
  • Attempts to access administrative tools like Server Manager result in errors.

Please assist in identifying the infection source, recovering the virtual machine, and securing it against future attacks.

This is the exact message i am getting when i start iis, sql or any other services -
--------------------------- Services --------------------------- Windows could not start the IIS Admin Service on the Computer. For more information, review the System Event Log. If this is a non-Microsoft service, contact the service vendor, and refer to service-specific error code -2146893818. --------------------------- OK    ---------------------------

  [Window Title] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Server Manager.lnk [Content] Windows cannot find 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Server Manager.lnk'. Make sure you typed the name correctly, and then try again. [OK]

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
8,326 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Srinud 3,615 Reputation points Microsoft Vendor
    2025-01-28T14:16:26.4766667+00:00

    Hi Audit,

    Thank you for reaching out to us on the Microsoft Q&A forum.

    Based on your description, you're experiencing the issue with your Azure Windows Virtual Machine. to investigate the ransomware infection, begin by identifying its cause. Check for any recent changes in your environment, such as the installation of new software or the presence of unverified emails that may have introduced the infection. Review logs from antivirus software, Endpoint Detection and Response (EDR) systems.

    Here are some essential steps to prevent or respond to an attack on an Azure Virtual Machine:

    • Please disconnect the VM from the network immediately to prevent the spread of ransomware and protect other systems.
    • Additionally, if possible, take a snapshot of the VM to preserve its current state.
    • Keep your system updated with the latest security patches and updates.
    • Enable multifactor authentication (MFA) for all users to strengthen security.
    • Regularly back up your data and store the backups securely, ensuring they are inaccessible from infected systems.
    • Implement a Security Information and Event Management (SIEM) solution to monitor and detect unusual activity.

    I recommend you refer on below links:
    Backup and restore plan to protect against ransomware
    Ransomware protection in Azure
    The Microsoft Incident Response approach to conducting ransomware incident investigations

    If the information is helpful, please consider by clicking the "Accept answer and Upvote" on the post.
    If you have any further queries, please let us know in the comment.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.