Forum Discussion
how to recover from a ransomware attack that encrypts files on sharepoint
There isn't an equivalent feature as there is for https://support.office.com/en-us/article/restore-your-onedrive-fa231298-759d-41cf-bcd0-25ac53eb8a15. Microsoft can on request via support, I understand restore a site collection for this sort of situation with mass data loss. It's alluded to here - https://blogs.technet.microsoft.com/sposupport/2016/09/19/handling-ransomware-in-sharepoint-online/. It's not a particular flexible option but it's good to have the possibility at least.
severt There are a few more details here http://icansharepoint.com/restoration-options-sharepoint-online/ and 'Getting a Microsoft restoration' as well as what else is available.
Had the same issue recently... after been bounced between third party supporters and MS for two weeks, finally got this suggestion as a final solution:
Go to the encrypted SharePoint site, click on the settings (cog) button on the top right, choose "restore library" option and select roll back date, choose "restore"... them magic happens... all the encrypted files disappear!
Why on earth it took two weeks to tell us that God only knows, but I had all sites back up and running in 10 mins each.
PS....
1. You will need to break all the synchronisation links to the SharePoint site and to delete the synchronised folders and files on local drives, lo to stop the encrypted files repopulating the SharePoint site once connected again.
2. Only a site owner can restore a library. If you are a non site owner, you will not see the option to restore.
3. Going forwards I would suggest use the sync on demand setting in OneDrive on the local drives, to minimise the spread of encrypted files to SharePoint. Our attack started 6pm Saturday, and had all weekend to encrypt all synchronised files. An On demand sync would have prevented this.
- Ref the Files On Demand option preventing the issue - I think it would depend - e.g. if the machine was online, then if the encryption process opens the file - surely the sync client would bring that file down to the local machine, the malware would then encrypt it, then the sync client would sync the change back up to 365?
(Or does the malware not actually 'open' the files??)Sync on demand relies on the user clicking on a file to download the file and sync to SharePoint. So there is no copy of the file on the local drive to encrypt.
You are correct that if someone downloads a file on demand whilst using an infected computer, then the file could be encrypted and synced back to SharePoint, but it would only be that one file and not all files as would happen if they were permanently synced.
Hopefully the user will have already realised that their computer had been infected, before attempting a sync on demand.
- Agreed - but my question is - does the malware itself issue an 'open' command for each file? Because if it does, then each 'cloud only' file would be synced down to the PC (because something on the PC asked to open the file) and then encrypted.
