Handling Ransomware in Sharepoint Online

What is Ransomware or a Crypto Virus?

Ransomware is a malware that blocks access to various items demanding a ransom in order for the creator to release the lock they have imposed.  Once the ransom is paid, the creator of the ransomware will presumably provide whatever is needed to regain access.

For more information on Ransomware please visit https://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx

How does it work with SharePoint Online or OneDrive for Business?

The ransomware is an executable of some sort that is ran locally on a user's computer.  The ransomware that we have seen effect SharePoint Online or OneDrive for Business has been manipulating individual files on a user's local machine via a One Drive for Business connection or a mapped drive into a SharePoint Online library. Once this occurs the infected files are then synchronized to the online environment by the sync client tool or as mentioned via various Web DAV methods. We have seen various manipulations of the files including Public/Private key encryption, appending an unknown extension to the filename, and deleting existing files. In addition, a lot of new files are typically added to each directory with instructions on who to pay the ransom.

How do I confirm the items of a library are being held for ransom?

Here are some of the signs that a SharePoint Online library has been hit by ransomware:

  • Majority of the files within the library have the same Modified By timestamp.
  • Files fail to open stating that they are possibly corrupt.
  • Each directory within the library contains several files named HELP_DECRYPT, HELP_Recover or some random names.  The files can be opened and contain instructions for paying the ransom.
  • Files have been renamed or have an extension appended to the end.

How are we able to help!?  

Unfortunately, we typically wouldn’t be able to unblock the items directly from getting uploaded to Sharepoint Online as we have no knowledge of the encryption keys or mechanism used to impose the lock and we allow encrypted files on Sharepoint Online. This being said, don’t PANIC! Immediately stop OneDrive for Business Sync or disconnect the mapped drive to SharePoint library and have your Company Administrator/end user attempt an OneDrive Files Restore (noted below).

Note : Do not perform any actions like renaming or deleting the files.

Update!   -  Please note that ODB Files restore has been released and version/change rollbacks can be done by the end user! - https://techcommunity.microsoft.com/t5/OneDrive-Blog/Announcing-New-OneDrive-for-Business-feature-Files-Restore/ba-p/147436

If for any reason the ODB Files restore does not fix the issue please have the administrator include the following details when submitting the help ticket.

  1. What is the site collection URL(s) that have been affected by Ransomware?
  2. When was the last known time that these files were in a healthy state?