logo

Holding blobs for ransom: Four methods for Azure Storage ransomware

ID: e2de927c-c77e-5ef2-87eb-bfc5f2d36976

STIX ID: report--e2de927c-c77e-5ef2-87eb-bfc5f2d36976

Feed Name: Datadog Security Labs

Threat Score
80/100

Date Published: 2026-06-15

Date Updated: 2026-06-15

...
...

This report analyzes four methods attackers can use to render Azure Blob Storage data inaccessible—downloading/reuploading blobs to overwrite them, abusing customer-provided encryption keys (CPK), creating/using encryption scopes, and switching storage to customer-managed keys (CMK)—provides example API calls and logging details, cites real-world incidents (BlackCat/Sphynx and Microsoft STORM-0501), highlights detection/logging gaps, and gives mitigation and monitoring recommendations.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.