Your company's Azure subscription includes Azure virtual machines (VMs) that run Windows Server 2016.
One of the VMs is backed up every day using Azure Backup Instant Restore.
When the VM becomes infected with data encrypting ransomware, you are required to restore the VM.
Which of the following actions should you take?
If a VM becomes infected with data encrypting ransomware, it's essential to restore the VM to a secure and clean environment to ensure the malware is completely eradicated. Restoring the VM to a new Azure VM provides a fresh and uncontaminated environment, effectively reducing the risk of any remnants of the ransomware affecting the restored VM. This approach also avoids the risk associated with restoring to another potentially compromised VM within the subscription.
It should be C
C is correct
I belive it is the C option A - If you delete the VM you cannot recover to that vm it must exist B - You do not know the other VMs C - Creating a New VM you can recover the VM D - You can recover from the backup https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms
Yes, VM can be restored by replacing the existing disk or in a new VM.
Answer A doesn't say to restore *to* the infected VM. It says "You should restore the VM *after deleting* the infected VM"
"A - If you delete the VM you cannot recover to that vm it must exist" This is not correct. As described in your link, you cannot use the option "replace existing" after the VM was deleted. The backup is not linked to the existence of the VM! What kind of backup would this be that gets deleted when the original VM gets deleted?! In my opinion, A and C would work just fine. I would even argue that A is the saver option. Firstly, we get rid of the ransomware such that it cannot infect any other systems. Secondly, we prevent any overlaps in hostname / IP configuration between the new and old VM.
Answer C (You should restore the VM to a new Azure VM) is a better choice. This approach ensures you're working with a completely uncontaminated, fresh environment, thereby significantly reducing the risk of any remnants of the ransomware affecting your new setup. However, it should be noted that this option should ideally be combined with the deletion of the infected VM (A) to mitigate any risk of spreading the ransomware further. This isn't explicitly mentioned in option C but is a critical step in the recovery process. So, while C is the better answer among the provided options for where to restore the VM, ensure to first delete the infected VM as a preparatory step.
Answer is C: https://learn.microsoft.com/en-us/azure/backup/protect-backups-from-ransomware-faq#how-to-restore-a-system-affected-by-ransomware
C. You should restore the VM to a new Azure VM. In the event of a ransomware infection on an Azure VM that is backed up using Azure Backup Instant Restore, it's generally recommended to restore the VM to a new Azure VM. This ensures that you are not using the compromised VM, and you can have confidence that the new VM is clean and unaffected by the ransomware. Option A (restoring after deleting the infected VM) could be risky because the compromised VM might still be accessible and could potentially re-infect the new VM. Option B (restoring to any VM within the company's subscription) is possible, but restoring to a new Azure VM is a safer approach. Option D (restoring to an on-premise Windows device) would not be relevant for restoring an Azure VM.
Option A (restoring after deleting the infected VM) could be risky because the compromised VM might still be accessible and could potentially re-infect the new VM. it took me a good while to understand what this meant because i thought " how can a deleted VM be accessible? ". it makes sense if for example there was a a public IP through which the infection got in, a vulnerability that wasnt patched, some file that was downloaded longer ago and set to run in the future, etc. so yeah C is the safest option.
Replace existing: You can restore a disk, and use it to replace a disk on the existing VM. The current VM must exist. If it's been deleted, this option can't be used. https://learn.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms
It should be C
be careful at wording, it say you should (so where is recommended not where you can)..so it should be C as is safe way to go
What is wrong with A? You delete the compromised VM and restore the VM from backup. What is the added value for another VM?
May be due to SID involvement
gpt v4 ansewr: The best practice in this scenario, to maintain security and prevent the spread of ransomware, would be to delete the infected VM and then restore the clean backup to a new VM. This prevents the ransomware from potentially remaining on the system or affecting other VMs within the same environment. Therefore, the most appropriate action would be: A. You should restore the VM after deleting the infected VM. This answer ensures that the infected VM is completely removed and that the clean, backed-up version is restored, minimizing the risk of the ransomware persisting or spreading.
C is the option I would choose in real life for most desaster-recovery-scenarios. B seems random, why would I want to restore the files to another existing VM instead of a dedicated freshly created one? This might compromise other VMs as well in case there is already a hidden file of the ransomware in the backup
In the scenario described, the VM is backed up using Azure Backup Instant Restore, which allows for quick recovery of files. Since the VM is infected with data encrypting ransomware, it's important to ensure that the recovered files are not compromised. The correct option is: C. You can only recover the files to a new VM. When dealing with ransomware or other malware infections, it's typically not recommended to recover files directly to the infected VM as there's a risk that the infection could persist. Instead, it's advisable to recover the files to a new VM to ensure they are clean and free from malware. This helps to prevent further spread of the infection and ensures the integrity of the recovered data. Therefore, option C is true in this scenario.
It is not possible to "restore the vm TO any vm". - I can restore a vm to a NEW vm - I can restore a vw REPLACING any other vm - I can restore FILES to any other vm. Doesn't matter what I do, it is better to shutdown the infected VM, but not to delete it until the restore prosses is finished.
B IS THE RIGHT ANSWER
answer is c. What you CAN do and what you SHOULD do are not the same thing
C is correct while B is also a viable solution, best approach would be to perform recovery to an isolated and secure network and then scan again for any infection.
Option C is correct