Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
Azure VM Security Incident – Immediate Support Required
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 94%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Jessi Software
0
Reputation points
We had a virtual machine named <removed PII>. On 22-Dec, we observed that the VM was impacted by a ransomware attack. We immediately shut down the VM and created a new one. Our key requirements and concerns are as follows:
- We need to recover the data from the affected VM.
- Since it is a managed machine, we assumed Microsoft would protect it from such attacks. We request the RCA (Root Cause Analysis) for the ransomware incident.
- What guarantees and mitigation measures are in place to prevent similar attacks on the newly created VM?
- Although the affected VM has been stopped for the past two weeks, we are still being billed for associated resources. How can we request a waiver for these charges?
R.Vaira Selvam
REMOVED PII
Azure Virtual Machines
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 96%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAY%3C/text%3E%3C/svg%3E)
Ankit Yadav 6,345 Reputation points Microsoft External Staff Moderator2025-12-04T10:25:29.3633333+00:00 Hello @Jessi Software , I'll try to help you out with all your concerns one by one, however please be noted it's highly suggested to avoid posting multiple questions in a single query. See here for details: https://learn.microsoft.com/en-us/answers/support/quality-question#avoid-posting-multiple-questions-in-a-single-thread
What could be done with this case to get best responses from Microsoft Q&A:
- Security related concerns can be posted in a separate Q&A thread
- VM Backup related thread can be posted in separate thread
- Billing related concern can be added in separate thread
-
Ankit Yadav 6,345 Reputation points Microsoft External Staff Moderator
2025-12-04T10:34:04.5166667+00:00 Regarding #1, We need to recover the data from the affected VM.
Since you already have the Data Disks and OS disks from the affected VM with you, you can simply detach them from the affected VM and attach it to the new VM and copy all the files into a single Data disk and delete the extra-disks based on your requirements to avoid excess cost for your subscription.
Regarding #4 Although the affected VM has been stopped for the past two weeks, we are still being billed for associated resources. How can we request a waiver for these charges?
You'd be required to raise the ticket with the concerned team from your end using below instructions:
Step 1: Log on to the Azure portal. If you have multiple accounts, make sure you use the one that was affected by downtime.Step 2: Create a new support request.
Step 3: Select "Billing" under Issue type.
Step 4: Select "Refund Request" under Problem type.
Step 5: Ask for an SLA credit, mentioning the date/time/time-zone as well as the impacted services (VMs, web sites, etc.).
Step 6: Check contact details and click "Create" to submit.
-
Ankit Yadav 6,345 Reputation points Microsoft External Staff Moderator
2025-12-04T10:36:49.5433333+00:00 For #2 & #3 concerns,
Since it is a managed machine, we assumed Microsoft would protect it from such attacks. We request the RCA (Root Cause Analysis) for the ransomware incident. What guarantees and mitigation measures are in place to prevent similar attacks on the newly created VM?I can see these concerns were already addressed over here: https://learn.microsoft.com/en-us/answers/questions/5630742/my-vm-server-attacked-by-some-malware-like-ransome
If there are any follow-up queries over the answer or any feedback to be improved for the service, kindly add it over the original query.
-
Ankit Yadav 6,345 Reputation points Microsoft External Staff Moderator
2025-12-04T10:48:00.8633333+00:00 Hello @Jessi Software ,
Let me know if my above shared responses helped out to answer your query/concerns.
If there are any follow-up queries over my responses for #1 & #4, kindly let me know and I'll be there to help you out to resolve your concerns.
Additionally, I've reached out to you via Private Message requesting some details related to your subscription to ensure your privacy is protected. Once shared those details, I can setup a Team's call with you and address your concerns better way.
Sign in to comment
Sign in to answer