There is a comforting myth in some boardrooms that moving to the cloud somehow puts ransomware out of reach. Microsoft manages the infrastructure, the thinking goes, so surely the infrastructure provider handles the security too. It does not, and ransomware gangs have adapted their playbooks for cloud environments just as thoroughly as they adapted for on-premises networks a decade ago.
How ransomware actually spreads into Azure
Most ransomware incidents involving Azure do not start in Azure at all. They start on a compromised laptop or an on-premises server, and the attacker then uses stolen credentials or a poorly secured hybrid connection to move into the cloud environment, where synced identities and shared storage let the encryption spread further and faster than a purely on-premises attack ever could. Azure AD Connect, VPN gateways, and federated identity all create bridges, and bridges work in both directions once an attacker is on one side of them, regardless of which side you originally built them to protect.
A dedicated round of Azure pen testing is built to test exactly this kind of lateral movement — not just whether the front door is locked, but whether an attacker who gets past the on-premises defences can pivot into cloud storage, backups, and identity systems once inside. Azure’s shared responsibility model means Microsoft secures the platform, but the configuration, the identity boundaries, and the backup isolation are entirely down to you.
Backups in the same tenant are not really backups
One of the most common failures we see is backup storage that sits in the same Azure tenant, using the same credentials, as the production systems it is meant to protect. If an attacker compromises the tenant, they can often reach the backups too, and a ransomware gang that finds and deletes your recovery point before triggering encryption has just removed your only real leverage in the incident. Isolation between production and backup access is not a detail, it is the entire point of having backups at all, and it is worth verifying rather than simply assuming it was configured correctly at setup.
William Fieldhouse has watched this specific failure play out more than once.
“I’ve sat with a client who genuinely believed their backups were safe because they were in the cloud, until we showed them that the same admin account which had been phished could reach both the live environment and every backup snapshot behind it. The cloud didn’t fail them, their assumption about isolation did.”
— William Fieldhouse, Director of Aardwolf Security Ltd
That assumption is exactly what a structured internal test is designed to challenge before an attacker does it for real. It is not enough to trust that cloud backups exist; you need proof that they sit outside the blast radius of a compromised identity, with separate credentials and separate approval paths for deletion or modification.
Test the whole chain, not just the cloud edge
Ransomware resilience depends on the weakest link across your entire environment, on-premises and cloud combined, not on any single platform’s marketing promises. Aardwolf Security tests that full chain, including an internal network pen testing, to show exactly how far an attacker could get and what they could reach once inside. If your backup strategy has never actually been tested against this scenario, now is the time to find out, not during an incident.