Handling Ransomware in Sharepoint Online

What is Ransomware or a Crypto Virus?

Ransomware is a malware that blocks access to various items demanding a ransom in order for the creator to release the lock they have imposed.  Once the ransom is paid, the creator of the ransomware will presumably provide whatever is needed to regain access.

For more information on Ransomware please visit https://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx

How does it work with SharePoint Online or OneDrive for Business?

The ransomware is an executable of some sort that is ran locally on a user's computer.  The ransomware that we have seen effect SharePoint Online or OneDrive for Business has been manipulating individual files on a user's local machine via a One Drive for Business connection or a mapped drive into a SharePoint Online library. Once this occurs the infected files are then synchronized to the online environment by the sync client tool or as mentioned via various Web DAV methods. We have seen various manipulations of the files including Public/Private key encryption, appending an unknown extension to the filename, and deleting existing files. In addition, a lot of new files are typically added to each directory with instructions on who to pay the ransom.

How do I confirm the items of a library are being held for ransom?

Here are some of the signs that a SharePoint Online library has been hit by ransomware:

  • Majority of the files within the library have the same Modified By timestamp.
  • Files fail to open stating that they are possibly corrupt.
  • Each directory within the library contains several files named HELP_DECRYPT, HELP_Recover or some random names.  The files can be opened and contain instructions for paying the ransom.
  • Files have been renamed or have an extension appended to the end.

How are we able to help!?  

Unfortunately, we typically wouldn’t be able to unblock the items directly from getting uploaded to Sharepoint Online as we have no knowledge of the encryption keys or mechanism used to impose the lock and we allow encrypted files on Sharepoint Online. This being said, don’t PANIC! Immediately stop OneDrive for Business Sync or disconnect the mapped drive to SharePoint library and have your Company Administrator/end user attempt an OneDrive Files Restore (noted below).

Note: Do not perform any actions like renaming or deleting the files.

Update!   -  Please note that ODB Files restore has been released and version/change rollbacks can be done by the end user! - https://techcommunity.microsoft.com/t5/OneDrive-Blog/Announcing-New-OneDrive-for-Business-feature-Files-Restore/ba-p/147436

If for any reason the ODB Files restore does not fix the issue please have the administrator include the following details when submitting the help ticket.

  1. What is the site collection URL(s) that have been affected by Ransomware?
  2. When was the last known time that these files were in a healthy state?

Comments (13)

  1. So the fastest way we could come up with to stop the sync client as soon as possible is the following:

    Build firewall rule to block groove.exe or PowerShell desired state config and shoot it out to the clients. {kudos to Mr. Swann at Ignite for that latter suggestion}

    1. Thanks for the suggestion Susan! A great way to quickly block the client.

      Please consider the fact that the NextGentSyncClient will be “OneDrive.exe” so you will want a rule for that as well.

  2. Per Ove Sandhåland says:

    If you have versioning activated on your SharePoint library, you might be able to revert back to an earlier version.

    I guess no malware has been able to encrypt all versions yet?

    1. That’s correct. Remember that most of these Viruses are not specifically targeting Sharepoint Online or OneDrive sites so we are able to rollback versioning or many other events that occurred.

  3. Mike Crowley says:

    Sadly, Microsoft Office 365 Support personnel have no idea how to handle these cases. I opened a case *2 days ago* citing this and another TechNet article as well as explicit instructions on what site to recover and when. They took 24 hours to get back to me, only to ask me to send a screenshot of the site’s recycle bin. This seems irrelevant to me, but i did it and that was yesterday. Since then its been crickets and my customer’s entire site has been down for 2 days. I’ve been emailing every 4 hours and its mostly silence in response. I will recommend 3rd party solutions to customers interested in SPO, as Office 365 support is a joke.

    1. Hey Mike,

      I apologize that you have been having this experience and want to get this handled for you.

      Do you have a case number you could provide me or a way I can contact you?

      Please private message me any details



      1. Mike Crowley says:

        Sam, forgive my ignorance, but i’m not sure how to direct message you through the blog, and i didn’t see your contact info posted. You can email me at mike a-t mikecrowley.us

        1. Sorry for the confusion Mike.

          I’ll be reaching out to you shortly.

          1. AI.ingham says:

            Hi Sam, I know I am a bit late to this party, but is there anyway you can give me assistance on a recovery of my own org’s site?

          2. No problem! If you haven’t already can you open a support ticket from the admin portal? Once this is opened please provide the number and we will work with you to get this issue resolved.

      2. DrupalGirl says:

        We are having the same issue. Our whole organization is out of commission because we cannot open files and still waiting for MS to restore files. Here is our ticket #12486162. Help!

        1. I’ll contact you ASAP and we will get this resolved!

  4. Mike Crowley says:

    Sam, thanks for reaching out so quickly and assisting with the site restore. The site is good to go! Looking forward to self-service enhancements in the future.

Skip to main content