Pattern B: Ransomware Resilience

Recovery That Survives a Ransomware Attack in One Guided Demo

A compact executive walkthrough that proves an attacker reaching an admin account still cannot erase recovery — clean copies survive, controls hold, and the business returns to service with evidence.

14 daysSoft-delete reserve
0Recovery points lost
ImmutableVault lock
SeparatedRBAC duties

What Pattern B Shows

Pattern B answers the security sponsor question: if ransomware reaches a privileged account, can it also destroy our ability to recover? It proves the answer is no — backup destruction is made noisy and blocked through separated duties, soft delete, and immutable vault locks, so clean recovery points survive and the business can restore priority service with board-ready evidence.

Ransomware Readiness Click-through

Incident response mode Recovery-assurance story

Business Alarm

Leaders see the impact: destructive attempts are detected before recovery is lost.

Access Boundaries

Compromised access cannot erase the recovery promise or weaken controls.

Recovery Reserve

Protected recovery points remain available when the business needs a clean copy.

Return to Service

The team restores, validates, and briefs executives with evidence.

Business impact: ransomware tries to remove recovery options

Start with the executive concern: the attack is serious, but the organization can still see what happened and preserve clean recovery choices.

HighIncident severity
0Recovery points lost
14dRecovery reserve

Interactive architecture walkthrough

Step through the workload/protection plane isolation, backup flow, monitoring, ransomware containment, and recovery in a guided click-through.

Launch architecture demo

Proof for the Conversation

Separated Duties

Operators can restore service but cannot remove protections, so no single compromised account can both run and destroy recovery.

Recovery Reserve

Soft delete and immutable vault locks keep clean recovery points available long enough to choose a safe restore.

Board Evidence

Produces one incident pack: timeline, blocked actions, available recovery points, restored service, and the next governance step.

Pattern B Artifacts

ArtifactUse It ForLink
Infrastructure GuideDeploy the workload/protection separation, soft delete, and immutable locks.INFRASTRUCTURE_DEPLOYMENT_GUIDE.md
SpecReview RBAC separation, retention, immutability, and cleanup.SPEC.md
KQLShow backup failures, RBAC access audit, and soft-delete operations.backup-failures / rbac-audit / soft-delete
SourceOpen the implementation package in GitHub.GitHub source

Compact Technical Reference

Incident Runbook
  1. Detect the destructive attempt and confirm clean recovery points remain.
  2. Verify access boundaries: operators cannot remove protections or controls.
  3. Confirm the recovery reserve (soft delete + immutable lock) is intact.
  4. Restore the priority service first and have the owner validate it.
  5. Capture the incident evidence pack and brief executives.
Deploy Command
cd azure-backup-demo-spec az login az account set --subscription "<subscription-name-or-id>" ./scripts/deploy.ps1 ` -Location canadacentral ` -EnvironmentName backup-resilience ` -Owner <owner-name> ` -EnableImmutability
Monitoring Query
CoreAzureBackup | where TimeGenerated > ago(24h) | where OperationName has_any ("Delete", "StopProtection", "SoftDelete") | project TimeGenerated, ResourceId, OperationName, Caller, ResultType | order by TimeGenerated desc