How to Recover from a Ransomware Attack in Office 365
By Chris BrunauBefore another ransomware attack wreaks havoc across the globe, wouldn’t it be a great time to learn how to recover your data? As we discussed recently, SaaS apps aren’t immune to ransomware attacks. WannaCry targets on-premises systems, particularly those running older, unsupported operating systems like Windows XP and Windows Server 2003. However, SaaS applications are not immune to ransomware attacks. In fact, most strains of ransomware target Microsoft productivity apps such as Word and Excel whether they are on-premises or in the cloud. Ransomware can easily spread to Office 365 via ActiveSync and OneDrive Sync or to Google Apps via the Google Drive sync capability. So, creating an independent backup with a SaaS backup tool such as Backupify ensures you will be able to recover data following a security breach.
In this blog, we discuss how you can recover your Office 365 data after a ransomware attack.
Go offline
When you discover ransomware on a system, remove the system from the network immediately. Unplug any ethernet cables and turn off any WiFi connections on the device. Isolate the system to prevent ransomware from infecting other networked systems. Disable sync services, such as OneDrive Sync to prevent the system from syncing any ransomware-encrypted files to OneDrive and other cloud services. Pause the OneDrive sync client on the local device, if possible.
Restore files with OneDrive for Business
You may be able to revert to an earlier version of a ransomware-encrypted file since OneDrive for Business saves file version histories. From a system not affected by ransomware, access OneDrive in the browser, select a file, then choose “Version History.” A list of the saved versions of the file—with modification dates—will display. You can view earlier versions of the file, then choose “Restore” when you find a version not affected by ransomware. Version history has limits, though.
Version history works well for Office documents, such as Word, Excel, and PowerPoint files. But OneDrive for Business won’t keep version histories for files from non-Office applications. So that Autocad, Photoshop, or video file saved to OneDrive won’t offer the “version history” option. As of January 2017, unless your file is a Microsoft Office file, only one version will be saved.
Attempt on-device recovery
You may still need to attempt to recover files from the ransomware-affected device. Run a complete scan of the system with your security software. Or, try a complete scan with Microsoft’s Malicious Software Removal Tool, followed by Windows Defender Offline.
Restore from backup
An uninfected copy of your data offers the only real protection from ransomware. If you know your data is backed up, you can start again: erase your device, reinstall your apps, then restore your data.
Backupify delivers cloud recovery of your Office 365 data. You can select a time before your files were locked by ransomware. Backupify restores your email, files, folders, contacts, and calendar items in their original, unlocked formats.
And, since it is in the cloud, you can even switch to a different device, log in, and restore your data to Office 365 from your Backupify data snapshots.
Rebuild/Reimage
After you’ve recovered your data, you next need to restore your system to a healthy state. Often, you’ll do this by restoring a standard disk image that contains your operating system and a default set of apps. Most large organizations store a few standard setups to aid a fast recovery. In the worst case, you’ll have to meticulously reinstall everything manually: wiping the drive, installing an operating system, then re-installing your apps, then recovering your data from backups.