Ransomware Recovery in G Suite

If Google Docs, Sheets, or Slides are encrypted, you may be able to manually recover the file. Login to Google Drive from a separate, secure system — not the ransomware-afflicted one! — and open an affected Doc, for example, in Chrome. Go to File > See revision history. Look through the versions until you discover one before the encryption occurred. Select it, then choose “Restore this version”. It’s important to note that depending on the strain of ransomware, prior versions may either be unavailable or corrupt as well.

To recover other files, such as Word, Excel, or PowerPoint files, go to Google Drive in your browser, select a file, choose More actions (the icon with the vertical dots), then “Manage versions”. Choose an earlier version of the file.

Repeat the above process for all of your files on Google Drive. This process could take hours, days, weeks, or months.

Recover with Google Takeout files

If you use Google Takeout to export and save your files, you may be able to recover your unencrypted files. After the ransomware is removed, delete the encrypted files, then reupload the file you saved with Google Takeout. The Takeout process converts your files into different formats. When you export native Google Docs, Sheets, or Slides with Takeout, Google saves them as Word, Excel or PowerPoint. Or in similar OpenDocument formats. Then, if you choose, you can convert them back to native Google formats when you upload. Either way, your file ownership, sharing settings, and revision history will all be gone. And your files will have changed formats– twice.

Worse, Google Takeout is a manual process. If your administrator allows Takeout at all (some don’t), you would have to export your files and save them somewhere offline before you get ransomware. If Takeout isn’t run before the attack, then the Google Takeout run afterward will also be corrupt.

In addition to being a manual process, Google Takeout also has to be tackled on a user by user basis. So, if an organization has 500 users, and ransomware has spread across their files, the admin would have to run 500 Google Takeouts to retrieve the local copy. This creates a mass of local zip files, and finding the local copy would be like finding a needle in a haystack. Depending on the number of users, and sheer volume of data per user, time spent restoring and searching for the local copy can take hours, days, or weeks.

Admin recovery? Google Vault? Neither of these will help. A G Suite Administrator can restore files and email deleted in the past 25 days. But Ransomware encrypts your files first, and often deletes them later. Restoring an encrypted file still leaves your data unusable. And Google Vault won’t help either. It’s a legal discovery tool, not a backup of all of your organization’s files. An Administrator can search your encrypted files with Vault, but that won’t restore your data.

To learn more about ransomware and G Suite for businesses, check out our new eBook: Ransomware and G Suite Business: What You Need To Know. This eBook is packed with tips to help businesses build their defenses against ransomware and keep G Suite data secure. Check it out today!