Recover from a Ransomware Attack in Microsoft 365

Ransomware attacks are on the rise. According to a recent report from cybersecurity software company Group-IB, the number of attacks increased by 150% in 2020.

The average cost of ransomware attacks is increasing as well. Group-IB found that the extortion amount of attacks doubled over the last year. While the average ransom demand was $170,000 in 2019, last year, demands averaged between $1 million and $2 million.

Despite the precautions companies are taking to guard themselves against ransomware attacks, the likelihood of falling victim to such an attack is growing. Ransomware attacks are becoming increasingly sophisticated while Ransomware as a Service (RaaS) is becoming more prevalent as attackers turn to already-developed ransomware tools to execute attacks.

Today, it’s less a matter of if you will be hit by a ransomware attack, but when. The casualties of such attacks often include your company’s Microsoft 365 data. These attacks can cause companies to lose access to valuable Microsoft 365 files and even after a ransom is paid, there’s no guarantee that access will be restored.

Let’s look at the best way to recover from a ransomware attack, including how to recover data from native recovery tools and Backupify’s Microsoft 365 backup solution.

Step 1: Disable Exchange ActiveSync and OneDrive sync

The first step in responding to a ransomware attack is to disable sync services to prevent the attack from spreading further. Since Exchange ActiveSync synchronizes data between devices and Exchange Online mailboxes, it’s necessary to disable Exchange ActiveSync for users in Exchange Online. You should also disable OneDrive Sync to prevent the system from syncing any ransomware-encrypted files to OneDrive and other cloud services.

Once all affected computers and devices have been cleaned and your data has been recovered, sync services should be re-enabled.

Step 2: Remove malware from affected devices

In order to ensure the ransomware payload is removed from all computers and devices, it’s important to run a full antivirus scan. This should include any devices that are synchronizing data, or the targets of mapped network drives.

In order to remove the malicious software, Microsoft recommends using Windows Defender, Microsoft Security Essentials, or the Malicious Software Removal Tool (MSRT). If problems persist, users can also try Windows Defender Offline or Troubleshoot problems with detecting and removing malware.

Step 3: Recover files on a cleaned computer or device

Users can attempt on-device recovery to restore files to the computer once it has been cleared. In order to recover local files and folders use the File History function in Windows 10 and Windows 8.1 or System Protection in Windows 7.

However, some ransomware is capable of deleting the backup versions of local files. In the event that you are unable to use File History or System Protection to restore files, you can turn to OneDrive for Business.

Step 4: Recover files from OneDrive for Business

Microsoft 365 users may be able to revert to an earlier version of a ransomware-encrypted file by using OneDrive for Business which saves file version histories. Users can view earlier versions of files and restore files to versions that have not been affected by ransomware.

However, version history limits mean users won’t be able to recover all of their lost data. The Files Restore function in OneDrive for Business only allows you to restore your entire OneDrive to a previous point in time within the last 30 days. That’s why it’s essential to have an independent Microsoft 365 backup.