03-05-2019 06:52 AM
03-05-2019 06:52 AM
I work for a small organization that relies on Office 365 sharepoint sites. All 20 users have 365 for business licenses. I have my team set up using onedrive syncing the sharepoint sites to file explorer locally. They can navigate our sharepoint sites in file explorer and it looks to them like they are just using their local drive. So what happens when an user gets a cryptovirus that rolls through their local sharepoint folder and this syncs up to the sharepoint site and now all of the files there are encrypted? I have been reading through Microsoft mitigation and recovery measures. I understand how an user can go back in time and recover their entire onedrive from a ransomware attack. However, I cannot find how I, as the sharepoint office 365 admin, can do a similar restore. Versioning is turned on and I can restore individual files. What I don't see are the controls for a sharepoint site that would allow me to do a similar mass restore from a previous point in time. Can someone point me to where this is documented?
03-05-2019 07:06 AM
03-05-2019 07:09 AM - edited 03-05-2019 07:20 AMSolution
There isn't an equivalent feature as there is for restoring OneDrive. Microsoft can on request via support, I understand restore a site collection for this sort of situation with mass data loss. It's alluded to here - Handling Ransomware in Sharepoint Online. It's not a particular flexible option but it's good to have the possibility at least.
03-05-2019 07:25 AM
Thanks for the replies!
Disappointing though. My nightmare scenario is that one user gets the virus, it goes through all of the files locally , opens, encrypts, saves the file with the same name and extension. They are propagated back to the sharepoint site. Now I have to individually restore all files. Ouch!
Looks like I will need to find a backup solution outside of Office 365.
03-05-2019 07:35 AM
Agreed, it would be very useful to have more options for this scenario without having to resort to 3rd party solutions. It wouldn't be surprising if Microsoft improves this situation in due course. Here is Microsoft's official position on Malware and Ransomware Protection in Office 365.
03-05-2019 08:14 AM
10-01-2019 02:32 PM
Had the same issue recently... after been bounced between third party supporters and MS for two weeks, finally got this suggestion as a final solution:
Go to the encrypted SharePoint site, click on the settings (cog) button on the top right, choose "restore library" option and select roll back date, choose "restore"... them magic happens... all the encrypted files disappear!
Why on earth it took two weeks to tell us that God only knows, but I had all sites back up and running in 10 mins each.
10-02-2019 04:51 AM
1. You will need to break all the synchronisation links to the SharePoint site and to delete the synchronised folders and files on local drives, lo to stop the encrypted files repopulating the SharePoint site once connected again.
2. Only a site owner can restore a library. If you are a non site owner, you will not see the option to restore.
3. Going forwards I would suggest use the sync on demand setting in OneDrive on the local drives, to minimise the spread of encrypted files to SharePoint. Our attack started 6pm Saturday, and had all weekend to encrypt all synchronised files. An On demand sync would have prevented this.
10-02-2019 05:12 AM
10-02-2019 05:34 AM
Sync on demand relies on the user clicking on a file to download the file and sync to SharePoint. So there is no copy of the file on the local drive to encrypt.
You are correct that if someone downloads a file on demand whilst using an infected computer, then the file could be encrypted and synced back to SharePoint, but it would only be that one file and not all files as would happen if they were permanently synced.
Hopefully the user will have already realised that their computer had been infected, before attempting a sync on demand.
10-02-2019 05:52 AM
10-02-2019 06:36 AM