Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
8,298 questions
Assistance Required for Ransomware Infection on Azure Windows Virtual Machine
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 45%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Audit
0
Reputation points
I think my Azure Windows Virtual Machine has been infected with ransomware. The following issues are observed:
- IIS and SQL services have stopped and cannot be restarted (error code: -2146893818).
- All files on the C drive have been converted to
.wexformat. - Attempts to access administrative tools like Server Manager result in errors.
Please assist in identifying the infection source, recovering the virtual machine, and securing it against future attacks.
This is the exact message i am getting when i start iis, sql or any other services -
--------------------------- Services --------------------------- Windows could not start the IIS Admin Service on the Computer. For more information, review the System Event Log. If this is a non-Microsoft service, contact the service vendor, and refer to service-specific error code -2146893818. --------------------------- OK ---------------------------
[Window Title] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Server Manager.lnk [Content] Windows cannot find 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Server Manager.lnk'. Make sure you typed the name correctly, and then try again. [OK]
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 35%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Srinud 3,590 Reputation points Microsoft Vendor2025-01-28T14:16:26.4766667+00:00 Hi Audit,
Thank you for reaching out to us on the Microsoft Q&A forum.
Based on your description, you're experiencing the issue with your Azure Windows Virtual Machine. to investigate the ransomware infection, begin by identifying its cause. Check for any recent changes in your environment, such as the installation of new software or the presence of unverified emails that may have introduced the infection. Review logs from antivirus software, Endpoint Detection and Response (EDR) systems.
Here are some essential steps to prevent or respond to an attack on an Azure Virtual Machine:
- Please disconnect the VM from the network immediately to prevent the spread of ransomware and protect other systems.
- Additionally, if possible, take a snapshot of the VM to preserve its current state.
- Keep your system updated with the latest security patches and updates.
- Enable multifactor authentication (MFA) for all users to strengthen security.
- Regularly back up your data and store the backups securely, ensuring they are inaccessible from infected systems.
- Implement a Security Information and Event Management (SIEM) solution to monitor and detect unusual activity.
I recommend you refer on below links:
Backup and restore plan to protect against ransomware
Ransomware protection in Azure
The Microsoft Incident Response approach to conducting ransomware incident investigationsIf the information is helpful, please consider by clicking the "Upvote" on the post.
If you have any further queries, please let us know in the comment. -
Srinud 3,590 Reputation points Microsoft Vendor
2025-01-29T14:59:11.7966667+00:00 Hi Audit,
I just wanted to check if you had a chance to review comment. If you found it helpful, could you kindly click the “upvote” on my post.If you have any further queries, please let us know in the comment.
Thank you.
-
Sign in to comment
Sign in to answer