SOLVED

how to recover from a ransomware attack that encrypts files on sharepoint

%3CLINGO-SUB%20id%3D%22lingo-sub-360442%22%20slang%3D%22en-US%22%3Ehow%20to%20recover%20from%20a%20ransomware%20attack%20that%20encrypts%20files%20on%20sharepoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-360442%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20work%20for%20a%20small%20organization%20that%20relies%20on%20Office%20365%20sharepoint%20sites.%26nbsp%3B%20All%2020%20users%20have%20365%20for%20business%20licenses.%26nbsp%3B%20I%20have%20my%20team%20set%20up%20using%20onedrive%20syncing%20the%20sharepoint%20sites%20to%20file%20explorer%20locally.%26nbsp%3B%20They%20can%20navigate%20our%20sharepoint%20sites%20in%20file%20explorer%20and%20it%20looks%20to%20them%20like%20they%20are%20just%20using%20their%20local%20drive.%26nbsp%3B%20So%20what%20happens%20when%20an%20user%20gets%20a%20cryptovirus%20that%20rolls%20through%20their%20local%20sharepoint%20folder%20and%20this%20syncs%20up%20to%20the%20sharepoint%20site%20and%20now%20all%20of%20the%20files%20there%20are%20encrypted%3F%26nbsp%3B%20%26nbsp%3BI%20have%20been%20reading%20through%20Microsoft%20mitigation%20and%20recovery%20measures.%26nbsp%3B%20I%20understand%20how%20an%20user%20can%20go%20back%20in%20time%20and%20recover%20their%20entire%20onedrive%20from%20a%20ransomware%20attack.%26nbsp%3B%20However%2C%20I%20cannot%20find%20how%20I%2C%20as%20the%20sharepoint%20office%20365%20admin%2C%20can%20do%20a%20similar%20restore.%26nbsp%3B%20Versioning%20is%20turned%20on%20and%20I%20can%20restore%20individual%20files.%26nbsp%3B%20What%20I%20don't%20see%20are%20the%20controls%20for%20a%20sharepoint%20site%20that%20would%20allow%20me%20to%20do%20a%20similar%20mass%20restore%20from%20a%20previous%20point%20in%20time.%26nbsp%3B%20Can%20someone%20point%20me%20to%20where%20this%20is%20documented%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-360442%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOneDrive%20for%20Business%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-360523%22%20slang%3D%22en-US%22%3ERe%3A%20how%20to%20recover%20from%20a%20ransomware%20attack%20that%20encrypts%20files%20on%20sharepoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-360523%22%20slang%3D%22en-US%22%3EThis%20is%20coming%2C%20they%20talked%20about%20it%20at%20Ignite%2C%20so%20I%20don't%20think%20it%20should%20be%20very%20much%20longer.%20%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-360493%22%20slang%3D%22en-US%22%3ERe%3A%20how%20to%20recover%20from%20a%20ransomware%20attack%20that%20encrypts%20files%20on%20sharepoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-360493%22%20slang%3D%22en-US%22%3E%3CP%3EAgreed%2C%20it%20would%20be%20very%20useful%20to%20have%20more%20options%20for%20this%20scenario%20without%20having%20to%20resort%20to%203rd%20party%20solutions.%20It%20wouldn't%20be%20surprising%20if%20Microsoft%20improves%20this%20situation%20in%20due%20course.%20Here%20is%20Microsoft's%20official%20position%26nbsp%3Bon%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Foffice-365-malware-and-ransomware-protection%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMalware%20and%20Ransomware%20Protection%20in%20Office%20365%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-360475%22%20slang%3D%22en-US%22%3ERe%3A%20how%20to%20recover%20from%20a%20ransomware%20attack%20that%20encrypts%20files%20on%20sharepoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-360475%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20replies!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDisappointing%20though.%26nbsp%3B%20My%20nightmare%20scenario%20is%20that%20one%20user%20gets%20the%20virus%2C%20it%20goes%20through%20all%20of%20the%20files%20locally%20%2C%20opens%2C%20encrypts%2C%20saves%20the%20file%20with%20the%20same%20name%20and%20extension.%26nbsp%3B%20They%20are%20propagated%20back%20to%20the%20sharepoint%20site.%26nbsp%3B%20Now%20I%20have%20to%20individually%20restore%20all%20files.%26nbsp%3B%20Ouch!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELooks%20like%20I%20will%20need%20to%20find%20a%20backup%20solution%20outside%20of%20Office%20365.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-360459%22%20slang%3D%22en-US%22%3ERe%3A%20how%20to%20recover%20from%20a%20ransomware%20attack%20that%20encrypts%20files%20on%20sharepoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-360459%22%20slang%3D%22en-US%22%3E%3CP%3EThere%20isn't%20an%20equivalent%20feature%20as%20there%20is%20for%20%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Frestore-your-onedrive-fa231298-759d-41cf-bcd0-25ac53eb8a15%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Erestoring%20OneDrive%3C%2FA%3E.%20Microsoft%20can%20on%20request%20via%20support%2C%20I%20understand%20restore%20a%20site%20collection%20for%20this%20sort%20of%20situation%20with%20mass%20data%20loss.%20It's%20alluded%20to%20here%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fsposupport%2F2016%2F09%2F19%2Fhandling-ransomware-in-sharepoint-online%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EHandling%20Ransomware%20in%20Sharepoint%20Online%3C%2FA%3E.%20It's%20not%20a%20particular%26nbsp%3Bflexible%20option%20but%20it's%20good%20to%20have%20the%26nbsp%3Bpossibility%20at%20least.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F268817%22%20target%3D%22_blank%22%3E%40severt%3C%2FA%3E%26nbsp%3BThere%20are%20a%20few%20more%20details%20here%26nbsp%3B%3CA%20href%3D%22http%3A%2F%2Ficansharepoint.com%2Frestoration-options-sharepoint-online%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ERestoration%20options%20in%20SharePoint%20Online%3C%2FA%3E%20and%20'Getting%20a%20Microsoft%20restoration'%20as%20well%20as%20what%20else%20is%20available.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-360457%22%20slang%3D%22en-US%22%3ERe%3A%20how%20to%20recover%20from%20a%20ransomware%20attack%20that%20encrypts%20files%20on%20sharepoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-360457%22%20slang%3D%22en-US%22%3EIt%20hasn't%20been%20released%20yet%20for%20SharePoint%2C%20the%20feature%20is%20Files%20Restore%20in%20OneDrive%2C%20but%20still%20waiting%20on%20the%20SharePoint%20one%20to%20be%20enabled.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-887333%22%20slang%3D%22en-US%22%3ERe%3A%20how%20to%20recover%20from%20a%20ransomware%20attack%20that%20encrypts%20files%20on%20sharepoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-887333%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F268817%22%20target%3D%22_blank%22%3E%40severt%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHad%20the%20same%20issue%20recently...%20after%20been%20bounced%20between%20third%20party%20supporters%20and%20MS%20for%20two%20weeks%2C%20finally%20got%20this%20suggestion%20as%20a%20final%20solution%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGo%20to%20the%20encrypted%20SharePoint%20site%2C%20click%20on%20the%20settings%20(cog)%20button%20on%20the%20top%20right%2C%20choose%20%22restore%20library%22%20option%20and%20select%20roll%20back%20date%2C%20choose%20%22restore%22...%20them%20magic%20happens...%20all%20the%20encrypted%20files%20disappear!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhy%20on%20earth%20it%20took%20two%20weeks%20to%20tell%20us%20that%20God%20only%20knows%2C%20but%20I%20had%20all%20sites%20back%20up%20and%20running%20in%2010%20mins%20each.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-888613%22%20slang%3D%22en-US%22%3ERe%3A%20how%20to%20recover%20from%20a%20ransomware%20attack%20that%20encrypts%20files%20on%20sharepoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-888613%22%20slang%3D%22en-US%22%3E%3CP%3EPS....%3C%2FP%3E%3CP%3E1.%20You%20will%20need%20to%20break%20all%20the%20synchronisation%20links%20to%20the%20SharePoint%20site%20and%20to%20delete%20the%20synchronised%20folders%20and%20files%20on%20local%20drives%2C%20lo%20to%20stop%20the%20encrypted%20files%20repopulating%20the%20SharePoint%20site%20once%20connected%20again.%3C%2FP%3E%3CP%3E2.%20Only%20a%20site%20owner%20can%20restore%20a%20library.%20If%20you%20are%20a%20non%20site%20owner%2C%20you%20will%20not%20see%20the%20option%20to%20restore.%3C%2FP%3E%3CP%3E3.%20Going%20forwards%20I%20would%20suggest%20use%20the%20sync%20on%20demand%20setting%20in%20OneDrive%20on%20the%20local%20drives%2C%20to%20minimise%20the%20spread%20of%20encrypted%20files%20to%20SharePoint.%20Our%20attack%20started%206pm%20Saturday%2C%20and%20had%20all%20weekend%20to%20encrypt%20all%20synchronised%20files.%20An%20On%20demand%20sync%20would%20have%20prevented%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-888628%22%20slang%3D%22en-US%22%3ERe%3A%20how%20to%20recover%20from%20a%20ransomware%20attack%20that%20encrypts%20files%20on%20sharepoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-888628%22%20slang%3D%22en-US%22%3ERef%20the%20Files%20On%20Demand%20option%20preventing%20the%20issue%20-%20I%20think%20it%20would%20depend%20-%20e.g.%20if%20the%20machine%20was%20online%2C%20then%20if%20the%20encryption%20process%20opens%20the%20file%20-%20surely%20the%20sync%20client%20would%20bring%20that%20file%20down%20to%20the%20local%20machine%2C%20the%20malware%20would%20then%20encrypt%20it%2C%20then%20the%20sync%20client%20would%20sync%20the%20change%20back%20up%20to%20365%3F%3CBR%20%2F%3E%3CBR%20%2F%3E(Or%20does%20the%20malware%20not%20actually%20'open'%20the%20files%3F%3F)%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-888646%22%20slang%3D%22en-US%22%3ERe%3A%20how%20to%20recover%20from%20a%20ransomware%20attack%20that%20encrypts%20files%20on%20sharepoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-888646%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F506%22%20target%3D%22_blank%22%3E%40Rob%20Ellis%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESync%20on%20demand%20relies%20on%20the%20user%20clicking%20on%20a%20file%20to%20download%20the%20file%20and%20sync%20to%20SharePoint.%20So%20there%20is%20no%20copy%20of%20the%20file%20on%20the%20local%20drive%20to%20encrypt.%3C%2FP%3E%3CP%3EYou%20are%20correct%20that%20if%20someone%20downloads%20a%20file%20on%20demand%20whilst%20using%20an%20infected%20computer%2C%20then%20the%20file%20could%20be%20encrypted%20and%20synced%20back%20to%20SharePoint%2C%20but%20it%20would%20only%20be%20that%20one%20file%20and%20not%20all%20files%20as%20would%20happen%20if%20they%20were%20permanently%20synced.%3C%2FP%3E%3CP%3EHopefully%20the%20user%20will%20have%20already%20realised%20that%20their%20computer%20had%20been%20infected%2C%20before%20attempting%20a%20sync%20on%20demand.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-888676%22%20slang%3D%22en-US%22%3ERe%3A%20how%20to%20recover%20from%20a%20ransomware%20attack%20that%20encrypts%20files%20on%20sharepoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-888676%22%20slang%3D%22en-US%22%3EAgreed%20-%20but%20my%20question%20is%20-%20does%20the%20malware%20itself%20issue%20an%20'open'%20command%20for%20each%20file%3F%20Because%20if%20it%20does%2C%20then%20each%20'cloud%20only'%20file%20would%20be%20synced%20down%20to%20the%20PC%20(because%20something%20on%20the%20PC%20asked%20to%20open%20the%20file)%20and%20then%20encrypted.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-888769%22%20slang%3D%22en-US%22%3ERe%3A%20how%20to%20recover%20from%20a%20ransomware%20attack%20that%20encrypts%20files%20on%20sharepoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-888769%22%20slang%3D%22en-US%22%3ERob%20you%20are%20correct.%20The%20ON%20demand%20is%20invisible%20to%20the%20api%20and%20user%20layer.%20So%20having%20files%20on%20demand%20on%20or%20not%20wouldn%E2%80%99t%20have%20an%20effect%20here.%20The%20malware%20would%20still%20work%20the%20same%20the%20OS%20would%20just%20trigger%20a%20download%20when%20the%20malware%20went%20to%20touch%20the%20files.%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi all: 

 

I work for a small organization that relies on Office 365 sharepoint sites.  All 20 users have 365 for business licenses.  I have my team set up using onedrive syncing the sharepoint sites to file explorer locally.  They can navigate our sharepoint sites in file explorer and it looks to them like they are just using their local drive.  So what happens when an user gets a cryptovirus that rolls through their local sharepoint folder and this syncs up to the sharepoint site and now all of the files there are encrypted?   I have been reading through Microsoft mitigation and recovery measures.  I understand how an user can go back in time and recover their entire onedrive from a ransomware attack.  However, I cannot find how I, as the sharepoint office 365 admin, can do a similar restore.  Versioning is turned on and I can restore individual files.  What I don't see are the controls for a sharepoint site that would allow me to do a similar mass restore from a previous point in time.  Can someone point me to where this is documented?  

11 Replies
Highlighted
It hasn't been released yet for SharePoint, the feature is Files Restore in OneDrive, but still waiting on the SharePoint one to be enabled.
Highlighted
Best Response confirmed by Juan Carlos González Martín (MVP)
Solution

There isn't an equivalent feature as there is for restoring OneDrive. Microsoft can on request via support, I understand restore a site collection for this sort of situation with mass data loss. It's alluded to here - Handling Ransomware in Sharepoint Online. It's not a particular flexible option but it's good to have the possibility at least.

 

@severt There are a few more details here Restoration options in SharePoint Online and 'Getting a Microsoft restoration' as well as what else is available.

Highlighted

Thanks for the replies!

 

Disappointing though.  My nightmare scenario is that one user gets the virus, it goes through all of the files locally , opens, encrypts, saves the file with the same name and extension.  They are propagated back to the sharepoint site.  Now I have to individually restore all files.  Ouch!

 

Looks like I will need to find a backup solution outside of Office 365. 

Highlighted

Agreed, it would be very useful to have more options for this scenario without having to resort to 3rd party solutions. It wouldn't be surprising if Microsoft improves this situation in due course. Here is Microsoft's official position on Malware and Ransomware Protection in Office 365.

Highlighted
This is coming, they talked about it at Ignite, so I don't think it should be very much longer.
Highlighted

@severt 

Had the same issue recently... after been bounced between third party supporters and MS for two weeks, finally got this suggestion as a final solution:

 

Go to the encrypted SharePoint site, click on the settings (cog) button on the top right, choose "restore library" option and select roll back date, choose "restore"... them magic happens... all the encrypted files disappear!

 

Why on earth it took two weeks to tell us that God only knows, but I had all sites back up and running in 10 mins each. 

Highlighted

PS....

1. You will need to break all the synchronisation links to the SharePoint site and to delete the synchronised folders and files on local drives, lo to stop the encrypted files repopulating the SharePoint site once connected again.

2. Only a site owner can restore a library. If you are a non site owner, you will not see the option to restore.

3. Going forwards I would suggest use the sync on demand setting in OneDrive on the local drives, to minimise the spread of encrypted files to SharePoint. Our attack started 6pm Saturday, and had all weekend to encrypt all synchronised files. An On demand sync would have prevented this.

Highlighted
Ref the Files On Demand option preventing the issue - I think it would depend - e.g. if the machine was online, then if the encryption process opens the file - surely the sync client would bring that file down to the local machine, the malware would then encrypt it, then the sync client would sync the change back up to 365?

(Or does the malware not actually 'open' the files??)
Highlighted

@Rob Ellis 

Sync on demand relies on the user clicking on a file to download the file and sync to SharePoint. So there is no copy of the file on the local drive to encrypt.

You are correct that if someone downloads a file on demand whilst using an infected computer, then the file could be encrypted and synced back to SharePoint, but it would only be that one file and not all files as would happen if they were permanently synced.

Hopefully the user will have already realised that their computer had been infected, before attempting a sync on demand.

Highlighted
Agreed - but my question is - does the malware itself issue an 'open' command for each file? Because if it does, then each 'cloud only' file would be synced down to the PC (because something on the PC asked to open the file) and then encrypted.
Highlighted
Rob you are correct. The ON demand is invisible to the api and user layer. So having files on demand on or not wouldn’t have an effect here. The malware would still work the same the OS would just trigger a download when the malware went to touch the files.