Handling Ransomware in Sharepoint Online

What is Ransomware or a Crypto Virus?

Ransomware is a malware that blocks access to various items demanding a ransom in order for the creator to release the lock they have imposed.  Once the ransom is paid, the creator of the ransomware will presumably provide whatever is needed to regain access.

For more information on Ransomware please visit https://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx

How does it work with SharePoint Online or OneDrive for Business?

The ransomware is an executable of some sort that is ran locally on a user's computer.  The ransomware that we have seen effect SharePoint Online or OneDrive for Business has been manipulating individual files on a user's local machine via a One Drive for Business connection or a mapped drive into a SharePoint Online library. Once this occurs the infected files are then synchronized to the online environment by the sync client tool or as mentioned via various Web DAV methods. We have seen various manipulations of the files including Public/Private key encryption, appending an unknown extension to the filename, and deleting existing files. In addition, a lot of new files are typically added to each directory with instructions on who to pay the ransom.

How do I confirm the items of a library are being held for ransom?

Here are some of the signs that a SharePoint Online library has been hit by ransomware:

  • Majority of the files within the library have the same Modified By timestamp.
  • Files fail to open stating that they are possibly corrupt.
  • Each directory within the library contains several files named HELP_DECRYPT, HELP_Recover or some random names.  The files can be opened and contain instructions for paying the ransom.
  • Files have been renamed or have an extension appended to the end.

How are we able to help!?  

Unfortunately, we typically wouldn’t be able to unblock the items directly from getting uploaded to Sharepoint Online as we have no knowledge of the encryption keys or mechanism used to impose the lock and we allow encrypted files on Sharepoint Online. This being said, don’t PANIC! Immediately stop OneDrive for Business Sync or disconnect the mapped drive to SharePoint library and have your Company Administrator/end user attempt an OneDrive Files Restore (noted below).

Note: Do not perform any actions like renaming or deleting the files.

Update!   -  Please note that ODB Files restore has been released and version/change rollbacks can be done by the end user! - https://techcommunity.microsoft.com/t5/OneDrive-Blog/Announcing-New-OneDrive-for-Business-feature-Files-Restore/ba-p/147436

If for any reason the ODB Files restore does not fix the issue please have the administrator include the following details when submitting the help ticket.

  1. What is the site collection URL(s) that have been affected by Ransomware?
  2. When was the last known time that these files were in a healthy state?

Comments (4)

  1. So the fastest way we could come up with to stop the sync client as soon as possible is the following:

    Build firewall rule to block groove.exe or PowerShell desired state config and shoot it out to the clients. {kudos to Mr. Swann at Ignite for that latter suggestion}

    1. Thanks for the suggestion Susan! A great way to quickly block the client.

      Please consider the fact that the NextGentSyncClient will be “OneDrive.exe” so you will want a rule for that as well.

  2. Per Ove Sandhåland says:

    If you have versioning activated on your SharePoint library, you might be able to revert back to an earlier version.

    I guess no malware has been able to encrypt all versions yet?

    1. That’s correct. Remember that most of these Viruses are not specifically targeting Sharepoint Online or OneDrive sites so we are able to rollback versioning or many other events that occurred.

Skip to main content