Forum Discussion

severt's avatar
severt
Copper Contributor
Mar 05, 2019
Solved

how to recover from a ransomware attack that encrypts files on sharepoint

Hi all:    I work for a small organization that relies on Office 365 sharepoint sites.  All 20 users have 365 for business licenses.  I have my team set up using onedrive syncing the sharepoint sit...
office 365
onedrive
sharepoint
  • Cian Allner's avatar
    Cian Allner
    Mar 05, 2019

    There isn't an equivalent feature as there is for https://support.office.com/en-us/article/restore-your-onedrive-fa231298-759d-41cf-bcd0-25ac53eb8a15. Microsoft can on request via support, I understand restore a site collection for this sort of situation with mass data loss. It's alluded to here - https://blogs.technet.microsoft.com/sposupport/2016/09/19/handling-ransomware-in-sharepoint-online/. It's not a particular flexible option but it's good to have the possibility at least.

     

    severt There are a few more details here http://icansharepoint.com/restoration-options-sharepoint-online/ and 'Getting a Microsoft restoration' as well as what else is available.

Ian Lee's avatar
Ian Lee
Copper Contributor
Oct 02, 2019

PS....

1. You will need to break all the synchronisation links to the SharePoint site and to delete the synchronised folders and files on local drives, lo to stop the encrypted files repopulating the SharePoint site once connected again.

2. Only a site owner can restore a library. If you are a non site owner, you will not see the option to restore.

3. Going forwards I would suggest use the sync on demand setting in OneDrive on the local drives, to minimise the spread of encrypted files to SharePoint. Our attack started 6pm Saturday, and had all weekend to encrypt all synchronised files. An On demand sync would have prevented this.

Rob Ellis's avatar
Rob Ellis
Bronze Contributor
Oct 02, 2019
Ref the Files On Demand option preventing the issue - I think it would depend - e.g. if the machine was online, then if the encryption process opens the file - surely the sync client would bring that file down to the local machine, the malware would then encrypt it, then the sync client would sync the change back up to 365?

(Or does the malware not actually 'open' the files??)
  • Ian Lee's avatar
    Ian Lee
    Copper Contributor
    Oct 02, 2019

    Rob Ellis 

    Sync on demand relies on the user clicking on a file to download the file and sync to SharePoint. So there is no copy of the file on the local drive to encrypt.

    You are correct that if someone downloads a file on demand whilst using an infected computer, then the file could be encrypted and synced back to SharePoint, but it would only be that one file and not all files as would happen if they were permanently synced.

    Hopefully the user will have already realised that their computer had been infected, before attempting a sync on demand.

    • Rob Ellis's avatar
      Rob Ellis
      Bronze Contributor
      Oct 02, 2019
      Agreed - but my question is - does the malware itself issue an 'open' command for each file? Because if it does, then each 'cloud only' file would be synced down to the PC (because something on the PC asked to open the file) and then encrypted.
      • ChrisWebbTech's avatar
        ChrisWebbTech
        MVP
        Oct 02, 2019
        Rob you are correct. The ON demand is invisible to the api and user layer. So having files on demand on or not wouldn’t have an effect here. The malware would still work the same the OS would just trigger a download when the malware went to touch the files.

Resources